skip to Main Content
GridSME to feature at PV O&M USA 2017
October 9, 2017

GridSME to feature at PV O&M USA 2017

We’re excited to announce that GridSME team members Matt Barnes and John Franzino will be joining the likes of EDF, 8minutenergy, PG&E, Nautilus Solar, RES, Lendlease, MidAmerican, and many more at PV O&M USA 2017.

Matt will be exploring the business case and revenue streams for solar+storage projects with a panel of industry experts.

John will be explaining how to leverage available data to drive cyber security decision making for PV facility operations.

More information on the event, agenda, speakers, and attendees can be found here.

If you are interested in attending the 4th Annual PV O&M USA 2017 conference & exhibition this Nov 2-3 in San Jose CA, GridSME has a $200 discount code (GRIDSME200) for affiliates to utilize. To register at this rate, members need only quote the code when they register online or message Kerr Jeferies directly at ahead of Oct 27 to secure this discount before the early bird rates also expire.

CIP Extension Granted

  • February 25, 2016
  • FERC

The implementation of V5 has been delayed until July 1, 2016 to coincide with the initial V6 changes.

While the extension is surely welcomed by many, this should not be seen as an opportunity to take your eye off the ball. Registered entities should keep an April 1 target date and allow themselves to test run their V5/V6 programs and controls. July 1 will approach quickly and security threats, which continue to increase in their frequency and complexity, will not take a three month break.

GridSME’s Andrew Dressel Published in Hydro Review on NERC CIP Version 5
August 4, 2014

GridSME’s Andrew Dressel Published in Hydro Review on NERC CIP Version 5

  • August 4, 2014
  • NERC


Last month, GridSME’s Andrew Dressel was featured in Hydro Review’s July 2014 issue.  His article, “NERC CIP Version 5: Impact to Hydro Owners and Operators,” focuses on the background of CIP standards, the upcoming CIP Version 5 transition, and areas of concern regarding its implementation in the hydroelectric realm.  Amongst these concerns, he highlights high watermarking as well as configuration change management and vulnerability assessments.  He advises those who haven’t begun preparation for the April 1, 2016 implementation date to start immediately and provides a list of resources that should be considered by anyone looking to stay compliant.

For more information about Hydro Review Magazine, you can go to their website:

FERC Approves CIP Version 5 Reliability Standards
November 25, 2013

FERC Approves CIP Version 5 Reliability Standards

  • November 25, 2013
  • FERC


We always comment that the pace of regulatory changes in our industry are increasing, and last Thursday was a great example. As you are likely aware, FERC approved version 5 of the Critical Infrastructure Protection reliability standards proposed by NERC on last Thursday, November 21. Version 5 represents a significant change in approach that will require a host of new activities for registered entities. Version 5 will affect, to a great degree, many of the entities that previously had few or no Critical Cyber Assets. One of the biggest unknowns is what will ultimately be required for the Low Impact designated facilities under the new criteria. We are tracking this particular development closely and will ensure that all are kept up with the latest information.

Please find the link to the CIP V5 Regulatory Bulletin below, which is a supplement to our monthly newsletter.

At GridSME, we are currently working with clients on implementing version 5. We can help answer questions or give guidance to your compliance program as you start to assess the necessary changes. Although the effective date of version 5 is not until 2016,  we would strongly suggest starting your CIP V5 assessment and preparations as soon as possible. There are many things you’ll need to consider that may change how you are implementing projects, making decisions on facilities, access controls, etc. Starting your CIP version 5 transition now can help align your organization to be compliant on day one of the implementation date.

Please feel free to contact our office and talk with our compliance team regarding CIP version 5 changes and challenges.

We look forward to assisting you.

GridSME CIP V5 Order Summary

To leave a comment please click the “Leave a Comment” button under the headline of this post.

GridSME to Host and Present CIP V5 Panel at NHA Hydaulic Power Committee Mtg
August 6, 2013

GridSME to Host and Present CIP V5 Panel at NHA Hydaulic Power Committee Mtg


GridSME will host and participate on a panel addressing the transition to the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Version 5 standards which are proposed to be approved by the Federal Energy Regulatory Commission (FERC). The meeting will be held t the Historic Davenport Hotel in Spokane, WA September 9-11. GridSME will be presenting on the morning of Wednesday September 11. The highlight of the meeting (other than our presentation, of course) will be a tour of the Grand Coulee hydroelectric facility. Registration and information details can be found at – NOTE: you must register by Aug. 9th to gain security clearance for the Grand Coulee tour.

GridSME is proud to announce Merced Irrigation District as our newest client
April 15, 2013

GridSME is proud to announce Merced Irrigation District as our newest client


GridSME is proud to announce the addition of the Merced Irrigation District to our list of clients. GridSME will assist Merced’s NERC Compliance Program and provide guidance on CAISO market opportunities.

Merced Irrigation District owns, operates and maintains the New Exchequer and McSwain dams, reservoirs, and hydroelectric facilities. These are Merced Irrigation District’s primary water storage facilities on the Merced River. They are located in the foothills on the western slope of the Sierra Nevada mountain range, approximately 23 miles northeast of Merced. The two dams and reservoirs are integral parts of the 1964 Merced River Development Project, and are licensed by the Federal Energy Regulatory Commission (FERC). New Exchequer Reservoir (Lake McClure) has a storage capacity of 1,024,600 acre feet, while McSwain Reservoir (Lake McSwain) has a storage capacity of 9,730 acre feet. The New Exchequer Dam Project was completed in 1967 as a multi-purpose facility providing facilities and water for all beneficial uses, including domestic and irrigation water, flood control, hydroelectric power generation, recreation, and the environment.

Merced Irrigation District is authorized to act as an electric utility under the California Water Code. Merced Irrigation District has owned and operated hydroelectric generating facilities on the Merced River since 1927. In 1995, Merced Irrigation District exercised its authority to sell power to retail electric customers. Merced Irrigation District offers its customers full requirements electric service including power supply and delivery to the customer. Since 1996, Merced Irrigation District has connected over 7,500 customers to Merced Irrigation District’s electric system, hooking up an average of 60 meters per month.

Merced is currently registered as a Generator Owner, Generator Operator, Load Serving Entity, Transmission Owner, Resource Planner, and Transmission Planner in the WECC region. To read more about the Merced Irrigation District continue here.

President Obama issues Exec. Order on Critical Infrastructure Cybersecurity
February 13, 2013

President Obama issues Exec. Order on Critical Infrastructure Cybersecurity

Citing “repeated cyber intrusions into critical infrastructure,” President Obama has issued an Executive Order on Improving Critical Infrastructure Cybersecurity. The Order states that “the cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront.” The Order seeks to improve the cybersecurity of Critical Infrastructures in the U.S. through improved communication and coordination with the private sector, directs the National Institute of Standards and Technology (NIST) to develop a comprehensive “Cybersecurity Framework” to reduce cyber risks to critical infrastructure, and creates a  voluntary Critical Infrastructure Cybersecurity Program.

The order:

  • defines Critical Infrastructure as  “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
  • calls for increased policy coordination and information sharing across governmental agencies and with businesses.
  • tasks the Dept of Justice with establishing procedures to expand the Enhanced Cybersecurity Services program to all critical infrastructure sectors. This voluntary information sharing program will provide classified cyber threat and technical information from the Government to eligible critical infrastructure companies or commercial service providers
  • seeks to “expedite the processing of security clearances to appropriate personnel employed by critical infrastructure owners and operators.” Addressing a concern that has been repeatedly brought up by NERC, EEI, and others in the electric industry.
  • Directs the Department of Homeland Security to expand the use of programs that bring private sector subject-matter experts into Federal service on a temporary basis “to maximize the utility of cyber threat information sharing with the private sector.”
  • seeks “to establish a consultative process a consultative process to coordinate improvements to the cybersecurity of critical infrastructure.” .

The order also calls for NIST to develop a Cybersecurity Framework. This Cybersecurity Framework shall:

  • seek to reduce cyber risks to critical infrastructures
  • include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address
  • incorporate voluntary consensus standards and industry best practices to the fullest extent possible
  • provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk
  • focus on identifying cross-sector security standards and guidelines applicable to critical infrastructure
  • provide guidance that is technology neutral and that enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards, methodologies, procedures, and processes developed to address cyber risks
  • include guidance for measuring the performance of an entity in implementing the Cybersecurity Framework
  • and be open to a public review and comment process.”

One of the more controversial portions of the order is Section 8. Section 8 establishes a Voluntary Critical Infrastructure Cybersecurity Program that will devise a set of incentives to encourage private sector participation. The DHS in coordination with Sector-Specific Agencies, is to establish this program to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and any other interested entities. Other Sector-Specific Agencies, in consultation with DHS and the Sector Coordinating Councils to review the Cybersecurity Framework and, if necessary, develop implementation guidance or supplemental materials to address sector-specific risks and operating environments.

The DHS, DOD, and GSA are also directed to review procurement rules to assess “the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.”

DHS will is directed to determine the Identification of Critical Infrastructure at the Greatest Risk

  • using a risk-based approach to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.”
  • DHS is to “apply consistent, objective criteria in identifying such critical infrastructure without identifying any commercial information technology products or consumer information technology services.”
  • Owners of such infrastructure will be confidentially notified and will be provided the basis for the determination

Finally, within 2 years after publication of the final Cybersecurity Framework DHS and other responsible agencies shall, in consultation with owners and operators of critical infrastructure, report to OMB on any critical infrastructure subject to ineffective, conflicting, or excessively burdensome cybersecurity requirements. This report shall describe efforts made by agencies, and make recommendations for further actions, to minimize or eliminate such requirements.

The Executive Order can be found here

NERC’s Statement about the order is available at

NBC News high-level summary

Modesto Irrigation District taps GridSME for Assistance with its CIP Program
January 23, 2013

Modesto Irrigation District taps GridSME for Assistance with its CIP Program


On December 26, 2012, the Modesto Irrigation District (MID) entered into a contract with GridSME for assistance with its CIP Compliance Program.

GridSME is proud to have MID as a new client. The addition of MID reinforces GridSME’s position as leader in provding NERC/WECC compliance services to municipal power utilities along California’s Central Valley and Western slope as well as a leader in providing consulting services to hydroelectric power providers.

We look forward to this engagement with the Modesto Irrigation District!

GridSME chosen by San Francisco to develop CIP program
January 23, 2013

GridSME chosen by San Francisco to develop CIP program


The San Francisco Public Utilities Commission (SFPUC) chose GridSME as the winning bidder in respnse to its RFP – Technical Support Services, HHWP NERC Regulatory Standards – Critical Infrastructure Protection

“We’re thrilled to have this opportunity,” Eric Whitley GridSME President said, “This is an important project that refelcts the advancement and growth of GridSME particulalry our Compliance Practice.”

The Hetch Hetchy Water and Power (HHWP), a Division of the SFPUC, and a department of the City, is an owner, operator, and user of the Bulk Electric System and as such is subject to compliance with the North American Electric Reliability Corporation (NERC) reliability standards. The HHWP is registered with NERC for the following reliability functions: Generator Owner (GO), Generator Operator (GOP), Purchase-Selling Entity (PSE), Transmission Owner (TO), Transmission Operator (TOP). The RFP sought compliance consultants for assistance relating to NERC Critical Infrastructure Protection (CIP) requirements and the COM-001 standard.

California PUC Mulls Cybersecurity Regulations
October 5, 2012

California PUC Mulls Cybersecurity Regulations

  • October 5, 2012
  • CPUC

On September 19th, the CPUC released a Grid Policy and Planning Paper titled, “Cybersecurity and the Evolving Role of State Regulation: How it Impacts the California Public Utilities Commission.”

In the paper, the CPUC noted that estimates suggest that NERC’s CIP protections failed to cover the vast majority of grid assets notably distribution facilities and “smart” devices.

The paper states:

the NERC-CIP framework has important limitations. First, NERC-CIP primarily covers only generation and transmission assets that qualify as “critical assets” or “critical cyber-assets.” With grid modernization, this identification is becoming increasingly problematic as many assets, such as advanced meters, do not fall under NERC-CIP but can have a major impact on grid reliability, safety and customer privacy … Second, NERC-CIP is primarily a compliance-based policy. Compliance is an important component of addressing cybersecurity, but it is not enough to ensure that the rapidly evolving risks are adequately considered and acted upon effectively.

State regulators have not traditionally played a large role in cybersecurity. However, this is beginning to change with the recognition that Federal compliance-based models may not be sufficient to ensure grid resiliency, reliability and safety, as well as customer data privacy. With grid modernization on the way, there is an important role that State regulators need to step into.

The CPUC offers the following recommendations:

 • The CPUC should open an Order Instituting Rulemaking (OIR) to explore cybersecurity best practices and develop a cybersecurity approach for the investor-owned utilities in California.

• The CPUC should consider safe harbor protections to encourage utilities to share information regarding security breaches and attacks.

• CPUC should evaluate the skill-sets and resources needed for CPUC Staff to adequately address cybersecurity.

It is clear from this paper that the CPUC is quite concerned about the cybersecurity of energy infrastructure. What is unclear at this point is what will the state ultimately decide to do about it. It appears that the CPUC will focus primarily on building a greater understanding on the nature of cyber threats, risk-management, and information sharing.

Back To Top