Design Basis Threat Development is Key to Proper “Blackstart” Grid Capability

By Steven T. Naumann, former Vice President, Transmission and NERC Policy, Exelon


In an earlier blog,[1] I discussed the need to create a Design Basis Threat (“DBT”) for blackstart in the face of new and emerging threats, and then conduct the necessary planning studies to ensure there is sufficient and operable blackstart generation available. In addition, there is a need to include flexible blackstart processes to restart the electric grid following interconnection-wide blackouts.

Establishing such a DBT can provide a valuable planning tool for the Transmission Operators and their partners who are responsible for blackstart operations. In particular, as cyber and other threats to blackstart assets and capabilities continue to intensify, DBTs can help system owners and operators target their investments to maintain system resilience. A formal DBT also can provide regulators confidence that those investments are prudent, and deal with ongoing challenges in the availability of gas-fueled cranking-path generators.

In the past, large-scale blackouts on the electric grid have not affected an entire interconnection. Thus, system operators were able to restart generation in the blacked-out areas from external ties.[2] But as we saw from the “near miss” in the February 2021 ERCOT blackout, operators cannot count on outside assistance to restart an interconnection. Sufficient blackstart resources, located in specific locations within each interconnection, are the last line of defense against a prolonged blackout.

All Transmission Operators are required to have blackstart plans in order to restart their systems and eventually tie each restarted system into a stable, interconnected grid.[3] These plans, which are updated as blackstart resources retire, new resources are added, and system topology changes, have been in place for decades.

Recent events, however, including the extreme cold weather in February 2021 and its negative impact on blackstart generation in ERCOT, as well as new and emerging threats such as nation-state cyber attacks, raise the question of whether a top-to-bottom review of blackstart planning needs to be performed based on a series of DBTs to account for new and emerging threats, as well as changes to the resource mix.

A series of DBTs, based on different threats, can build on critical infrastructure protection requirements for the electric power industry. For example, Requirement R4 of NERC Reliability Standard, CIP-014, “Physical Security,” states that “each Transmission Owner . . . shall conduct an evaluation of the potential threats and vulnerabilities of a physical attack.” While this requirement leaves the transmission owner flexibility to define the potential threats,[4] DBTs for blackstart can build on this philosophy. The Nuclear Regulatory Commission, for example, has a more specific DBT for potential physical attacks against nuclear generating stations.[5]

The range of new and emerging threats that need to be considered by industry planners to determine blackstart needs includes:

  • Cyber attacks
  • Physical attacks, including Metcalf-style kinetic attacks and UAVs
  • Electromagnetic Pulse (EMP) attacks
  • Severe weather, such as extreme interconnection-wide cold-air outbreaks
  • Severe space weather causing a Geomagnetic Disturbance (GMD)

Developing a series of DBTs can help ensure that grid planners have a reasonable basis to plan for blackstart to rapidly recover from successful attacks. As shown by the unavailability of a number of blackstart generating units in ERCOT this past February, it is far from clear that the existing blackstart infrastructure is sufficient to rapidly recover from these new and emerging threats.

For example, blackstart resources and facilities on cranking paths are low-impact facilities under NERC Reliability Standard CIP-002, and thus subject to lesser requirements than other facilities.[6] Furthermore, blackstart resources and elements of the cranking path are not covered under NERC Reliability Standard CIP-014 unless the substation in question is covered for other reasons.[7]

In today’s rapidly evolving world of grid threats, it is likely new threats will develop over time. For this reason, there should be different DBTs to address specific threats. And it is critical to develop the DBTs for likely future threats, not just review past experiences.

For example, in its presentation on the February 2021 extreme cold weather, NERC and FERC recommended further studies on blackstart unit availability in ERCOT during cold weather operations.[8] While such after-the-fact studies are necessary given the unavailability of many blackstart resources in ERCOT, limiting the analysis to one specific threat in one specific region is inadequate. More analysis of blackstart capability and adequacy is needed now, on a larger scale, before the next threat arises.

For each threat identified, the DBT should consider how threats to interdependent infrastructure, such as natural gas and communications, could impact blackstart of the grid. Furthermore, the DBTs need to look at multiple threat scenarios, such as a coordinated physical/cyber attack. In addition, the DBTs need to consider additional threats, such as Coercive Information Operations, that also could also interfere with restoration.[9] Coercive Information Operations include misinformation during restoration and telephone denial of service to frustrate customers, such as occurred in Ukraine in 2015.[10]

Finally, in the near-term, the DBTs need to consider electric grids as they are likely to be configured within the 10-year planning horizon. And the time is now to have the DBTs begin evaluating blackstart resource needs and operations for future generation asset combinations, including high levels of renewables, remote generation, storage, and low inertia.

This opens the question of who should conduct the DBTs. Although some may argue for NERC or FERC, the NERC Standards Development Process is lengthy and may not be appropriate for developing DBTs.[11] In my view, and in the view of others such as PJM,[12] the Department of Energy (DOE), as the sector-specific agency for the electricity subsector, should develop the DBTs.

DOE has access to intelligence information about many of these threats, and to the national labs, which have expertise in a number of these threats, such as cyber and EMP. Once the DBTs are developed, NERC could use those DBTs to develop and promulgate blackstart planning and operating standards.

Development of comprehensive DBTs, and the studies to address the needs identified in the DBTs, is no easy task. For example, DOE has stated that there are “unique challenges” to blackstart after an EMP event.[13] Also, in the absence of specific needs, such as requiring blackstart resources to have dual fuel capability, the cost impact of blackstart resources on ratepayers will remain a concern.[14]

Today’s range and sophistication of threats to the grid, and the certainty that more will emerge,  strongly suggests that having DOE-developed DBTs, whether they are turned into NERC Reliability Standards or codified through another mechanism, will provide needed certainty on requirements needed for blackstart. And proposed solutions that consider all known and likely threats will provide a more efficient outcome.


Sources

[1] “Black Start” Capability is Critical to a Resilient Electric Grid, located at https://protectourpower.org/blog/black-start-capability-resilient-electric-grid/.

[2] Docket No. AD21-13, Transcript of Technical Conference to Discuss Climate Change, Extreme Weather, & Electric System Reliability, at 87:12-14 (June 2, 2021)(“in PJM we haven’t fired up a black start unit because we needed it in 25 years”). Following the March 13, 1989 blackout of the Quebec Interconnection, operators were able to restart the grid with assistance from the Ontario and New Brunswick systems (part of the Eastern Interconnection) and a small number of generators that continued to operate (approximately 430 MW of load was served in operating islands). North American Electric Reliability Council, “March 13, 1989 Geomagnetic Disturbance,” at 41-42 located at https://www.nerc.com/pa/Stand/Geomagnetic%20Disturbance%20Resources%20DL/NERC_1989-Quebec-Disturbance_Report.pdf.

[3] See NERC Reliability Standard EOP-005-3, “System Restoration from Blackstart Resources,” (Feb. 9, 2017).

[4] Requirement R4 of CIP-014-2 provides that the evaluation of potential threats and vulnerabilities should be based on the “unique characteristics” of the transmission substation or control center, prior history of attacks on similar facilities and intelligence information. Requirement R6 provides that those evaluations are subject to verification by an independent qualified third-parties.

[5] 10 CFR § 73.1(a).

[6] CIP-002-5.1, Attachment 1, Section 3.4.

[7] According to public reporting, a memo from the FBI, DHS and the National Counterterrorism Center stated that a drone that crashed near an electric station in Pennsylvania in July 2020 was “likely being used in the United States to specifically target energy infrastructure.” See CNN “Drone at Pennsylvania electric substation was first to ‘specifically target energy infrastructure,’ according to federal law enforcement bulletin” (Nov. 4, 2021), located at https://www.cnn.com/2021/11/04/politics/drone-pennsylvania-electric-substation/index.html. In addition, UAVs have been used to attack critical infrastructure in other countries See Scott Crino and Conrad Dreby, “Drone Attacks Against Critical Infrastructure: A Real and Present Threat,” at 2 (Atlantic Council May 2020) (discussing September 2019 drone attacks against Abqaiq and Khurais oil facilities.

.

[8] In its presentation on the February 2021 extreme cold weather, NERC and FERC recommended further studies on blackstart unit availability in ERCOT during cold weather operations. See “Cold Weather Grid Operations: Preliminary Findings and Recommendations,” at 31 (Slide 27), located at https://www.ferc.gov/media/february-2021-cold-weather-grid-operations-preliminary-findings-and-recommendations-full.

[9] See Paul Stockton, “Defeating Coercive Information Operations in Future Crises,” Johns Hopkins Applied Physics Laboratory, located at https://www.jhuapl.edu/Content/documents/DefeatingCoerciveIOs.pdf.

[10] See Analysis of the Cyber Attack on the Ukrainian Power Grid at 12 (March 18, 2016), located at https://www.huntonprivacyblog.com/wp-content/uploads/sites/28/2016/03/Documents_E-ISAC_SANS_Ukraine_DUC_18Mar2016.pdf.       

[11] See Post-Technical Conference Comments of PJM Interconnection, L.L.C., Docket Number AD21-13-000, at 5 (filed Sept. 27, 2021)(the recent development of NERC Cold Weather Reliability Standards “illustrates the difficulty of developing specific criteria through the NERC stakeholder process”).

[12] Initial Comments of PJM Interconnection, L.L.C., Docket No. RM21-17-000 at 36-37 (filed Oct. 12, 2021).

[13] See US Department of Energy Electromagnetic Pulse Resilience Action Plan at 19 (Jan. 10, 2017), located at https://www.energy.gov/sites/prod/files/2017/01/f34/DOE%20EMP%20Resilience%20Action%20Plan%20January%202017.pdf. See EPRI 2019 Technical Report, High-Altitude Electromagnetic Pulse and the Bulk Power System, Potential Impacts and Mitigation Strategies, at p. 6-2 & Table 6-1 (April 2019)(“recovering from a HEMP-induced blackout can pose unique challenges relative to blackouts resulting from more traditional causes”).

[14] For example, PJM reported that the Organization of PJM States (“OPSI”) was unable to reach a consensus on whether to upgrade all blackstart units to dual fuel capability was “cost-justified.” See Post-Technical Conference Comments of PJM Interconnection, L.L.C., at 12-14; February 13, 2020 Organization of PJM States, Inc. Letter to the PJM Board and Stakeholders, located at https://www.pjm.com/-/media/about-pjm/who-we-are/public-disclosures/20200219-opsi-letter-re-fuel-security-for-black-start-resources.ashx.

Steve Naumann

Author Bio