On July 18, 2013, FERC issued a report on its audit of Salt River Project Agricultural Improvement and Power District (SRP). This audit commenced on November 15, 2011, and it reviewed SRP’s compliance with the NERC reliability standards for the entire period from June 18, 2007 (when the reliability standards became mandatory and enforceable) until March 14, 2013. According to the audit report, the focus of the audit was on the last two years.
This audit is one of a handful of reliability standards audits conducted almost exclusively by FERC staff. In fact, the audit report does not mention any participation by NERC. The report does indicate that FERC staff conferred with NERC’s regional entity, the Western Electric Coordinating Council (WECC), to obtain background information concerning “SRP’s reliability history, risk areas, and other areas of concern.” However, there is no indication that NERC staff or WECC staff were involved in the site visits or other aspects of the audit or that NERC or WECC concurred in the FERC staff’s audit findings.
The conduct of this audit appears consistent with other similar independent reliability standards audits conducted by FERC staff. Like the other FERC audits, and unlike compliance audits conducted by NERC’s regional entities, the SRP audit took two years to complete. Also outlined below, the SRP audit report identifies a number of areas in which “SRP could enhance its … compliance” and describes facts that do not appear consistent with certain reliability standards requirements, but it does not explicitly identify or allege any reliability standards violations.
As described in the audit report, FERC audit staff raised concerns and made recommendations in the following areas:
- Although SRP conducted a review of the ports and services of its Critical Cyber Assets that was generally consistent with Reliability Standard CIP-007-3 R2, SRP should not have relied solely on manufacturer documentation of required ports and services for two relays that were too sensitive to be included in electronic port scanning. FERC staff recommended that SRP conduct port scanning on identically configured relays in a lab environment.
- SRP’s cyber security monitoring under Reliability Standard CIP-005-3 R3.2 could be improved by formalizing its process for manual review of access logs to ensure that the manual reviews are conducted on regular time intervals.
- SRP should enhance its cyber security training program required by Reliability Standard CIP-004-3 by including training on networking hardware and software and other issues of electronic connectivity, including specific examples to illustrate how the training applied to each employee’s position; and extending the training to contractors and other service providers who are subject to Reliability Standard CIP-004-3.
- SRP failed to annually test each category of backup media devices or all of the necessary restoration information contained on those back up media devices consistent with Reliability Standard CIP-009-3 R5.
- With respect to SRP’s plan to continue reliability operations in the event a control center outage under Reliability Standard EOP-008-0, SRP should include all 12 of its critical substations in those annual tests, and should expedite its plans to implement redundant communications to these critical substations.
- SRP could improve its operating personnel training under Reliability Standard PER-002-0 by including unit-specific generator characteristics that could be useful in responding to cold weather events and by maintaining complete records of training for newly hired personnel.
- Although SRP enhanced its training of distribution operators with respect to load shedding consistent with Reliability Standards EOP-003-1 R5 and R8, SRP could improve the training by incorporating simulations and drills.
The absence of any findings in this audit report of possible or alleged violations of reliability standards should not be taken as an indication that FERC staff believes that SRP was fully compliant with the reliability standards. As we reported in a blog post in April, Entergy was the subject of a similar audit in 2010, and three years after the issuance of FERC staff’s audit report in which no violations were alleged, FERC disclosed that its auditors referred the matter to FERC’s investigation staff. The subsequent investigation led to a $975,000 penalty against Entergy for 27 reliability standards violations. Given the Entergy precedent, it is possible that this audit report does not reflect FERC’s final conclusions as to whether SRP was compliant with the reliability standards.