Standing committee on public accounts

independent electricity system operator – market oversight and cybersecurity

(Section 3.06, 2017 Annual report of the office of the auditor general of ontario)

3rd Session, 41st Parliament
67 Elizabeth II


ISBN 978-1-4868-1797-9 (Print)
ISBN 978-1-4868-1799-3 [English] (PDF)
ISBN 978-1-4868-1801-3 [French] (PDF)
ISBN 978-1-4868-1798-6 [English] (HTML)
ISBN 978-1-4868-1800-6 [French] (HTML)


 

The Honourable Dave Levac, MPP
Speaker of the Legislative Assembly

Sir,

Your Standing Committee on Public Accounts has the honour to present its Report and commends it to the House.

 

Ernie Hardeman, MPP
Chair of the Committee

Queen's Park
May 2018

 


Standing committee on public accounts

Membership list

3rd Session, 41st Parliament

ernie hardeman

Chair

lisa macleod

Vice-Chair

Bob Delaney                                                                                             percy hatfield

Vic Dhillon                                                                                                    randy hillier

han dong                                                                                                            Liz Sandals

john fraser


katch koch

Clerk of the Committee

IAN MORRIS

Research Officer

DO NOT DELETE


Contents

Glossary of Terms   1

Introduction   2

Acknowledgements   2

Background   2

Main Points of Audit  3

Issues Raised in the Audit and Before the Committee   4

OEB Market Surveillance Panel 4

Standby Cost Recovery Program   5

Lost Profit Recovery Program   5

Market Renewal Working Group  6

IESO Oversight Division   6

Industrial Conservation Initiative  7

Cybersecurity  8

Senior-level Position   8

Staffing Levels  8

IT Project Planning  9

Monitoring of User Access  9

External Vendors  9

Backup Tapes  9

Consolidated list of Committee Recommendations   10

 


Glossary of Terms

(unless noted otherwise, all terms are as used in the Auditor’s 2017 Annual Report)

backup tapes: the tapes on which data from a primary storage device is periodically copied so the data can be recovered if there is a hard disk crash or failure

global adjustment: a component of electricity bills whose amount is calculated to make up the difference between the revenues obtained from the electricity market price and the total payments made to regulated and contracted generators (whose prices are guaranteed) and the former Ontario Power Authority’s conservation programs

Independent Electricity System Operator (IESO): the administrator of the Ontario wholesale electricity market to match electricity supply with demand, among other responsibilities

IESO Oversight Division: the term used in this report to refer to the IESO’s Market Assessment and Compliance Division (MACD)

Industrial Conservation Initiative (ICI): a form of demand response that allows participating customers to manage their global adjustment costs by reducing demand during peak periods (source: IESO, “ICI Backgrounder”)

Lost Profit Recovery Program: the term used in this report to refer to Congestion Management Settlement Credits (CMSCs)

Market Renewal initiative: an IESO initiative aimed at addressing known market inefficiencies with the current market design (source: IESO, “Market Renewal Backgrounder”)

market rules: the rules that govern the operation of the wholesale electricity market in Ontario, administered by the IESO

Ontario Energy Board (OEB): the regulator of electricity and natural gas in Ontario

OEB Panel: the term used in this report to refer to the Market Surveillance Panel (MSP) under the OEB

Standby Cost Recovery Program: the term used in this report to refer to the Real-Time Generation Cost Guarantee Program


 

Introduction

On March 7, 2018 the Standing Committee on Public Accounts (the Committee) held public hearings on the audit (section 3.06, 2017 Annual Report of the Office of the Auditor General of Ontario [“Auditor”]) of Independent Electricity System Operator–Market Oversight and Cyber Security. Senior officials from the Ministry of Energy, the Independent Electricity System Operator (IESO), and the Ontario Energy Board (OEB) participated in the hearings. (For a transcript of the Committee proceedings, please see Committee Hansard, March 7, 2018.)

The Committee endorses the Auditor’s findings and recommendations and presents its own findings, views, and recommendations in this report. The Committee requests that the Ministry of Energy provide the Committee Clerk with written responses to the recommendations within 120 calendar days of the tabling of this report with the Speaker of the Legislative Assembly, unless otherwise specified.

Acknowledgements 

The Standing Committee on Public Accounts extends its appreciation to officials from the Ministry of Energy, the IESO, and the OEB for their attendance at the hearings. The Committee also acknowledges the assistance provided during the hearings and report writing deliberations by the Office of the Auditor General of Ontario, the Clerk of the Committee, and staff in the Legislative Research Service.

Background

The Independent Electricity System Operator (IESO) operates the wholesale electricity market. This includes receiving competitive price offers from power generators and electricity importers to supply electricity.

Generators generally set their offers in order to recover their marginal costs for producing electricity. Simultaneously, a small number of large industrial consumers and out-of-province electricity importers submit bids to the IESO on quantity and price. The IESO chooses the generators with the lowest price offers to supply the electricity needed to meet consumer demand. A new market-clearing price for electricity is set every five minutes, and the average of the 12 prices set per hour is the Hourly Ontario Energy Price charged to consumers.

Since 2015 the IESO has been responsible for long-term planning for electricity and procuring the necessary generation capacity in Ontario. Procurement is done by signing contracts that provide guaranteed payments to generators for building and maintaining generation equipment (e.g., nuclear and gas plants). Oversight responsibility of the electricity market is shared by the Ontario Energy Board (OEB) and the IESO as follows:


 

·          The IESO is responsible for fixing weaknesses and flaws in the design of the market. The IESO’s Market Assessment and Compliance Division (“IESO Oversight Division”) monitors and investigates suspicious activity by market participants and fines rule-breakers.

·          The OEB reviews the ratepayer impact assessment provided by the IESO prior to a change to the design of the market. The OEB can revoke any market rule change and ask the IESO Board to review or reconsider the change if the OEB considers that the change is not in line with criteria set out in the Electricity Act, 1998; these include, among other things, considerations of the public interest and impact on ratepayers. The OEB’s Market Surveillance Panel (“OEB Panel”) monitors the market operated by the IESO, and investigates and reports on potential market vulnerabilities.

Main Points of Audit

The audit identified that the OEB Panel has been effective in monitoring and reporting inappropriate market conduct, and in recommending that the IESO fix problems with the market design. However, the audit also found that the OEB could have done more to protect ratepayers’ interests by addressing the IESO’s inaction on the OEB Panel’s repeated recommendations to fix certain weaknesses and flaws in the design of Ontario’s electricity market. 

The IESO’s Market Renewal initiative includes a working group aimed at helping to determine the future design of the electricity market in Ontario. In addition to limited representation of residential ratepayers’ interests in the working group, members include market participants that have been, or are being, investigated for benefitting financially from existing market design problems.

Further, the Auditor found that the government has broadened participation in the Industrial Conservation Initiative (ICI) several times. The ICI allows industrial ratepayers to reduce their electricity charges by shifting their global adjustment costs to residential and small-business ratepayers. The OEB Panel reported on the impact of the ICI shortly after it was launched in January 2011. Electricity prices for about 65 large industrial ratepayers decreased by about 13%. In the first 10 months of the ICI, their global adjustment charge was reduced by about $245 million. This $245 million was added to the electricity bills of residential and small-business ratepayers. The ICI has been expanded three times since it was launched, shifting a larger amount of global adjustment charge from large industrial ratepayers to residential and small-business ratepayers.

The audit also found that although the IESO’s cybersecurity system complies with power grid reliability standards, it could be better equipped to defend itself from any advanced cyberattack.


 

Issues Raised in the Audit and Before the Committee

Significant issues were raised in the audit and before the Committee. The Committee considers the issues below to be of particular importance.

OEB Market Surveillance Panel

The audit found that the OEB and IESO could have done more to support the OEB Panel’s recommendations. In particular, the OEB could have revoked certain changes to market rules when concerns were raised by the OEB Panel about two programs in particular: the Real-Time Generation Cost Guarantee Program (“Standby Cost Recovery Program”) and the Congestion Management Settlement Credits (“Lost Profit Recovery Program”). Similarly, the IESO has not always taken the necessary steps to meaningfully implement the OEB Panel’s recommendations relating to these two programs.

In its response to the Auditor’s recommendations, the IESO stated that it considers every OEB Panel recommendation and underpinning analysis. The IESO added that it has acted on a number of the recommendations made by the OEB Panel in the past and has made a number of market rule amendments as a result. The IESO said it will continue to analyze and assess the OEB Panel’s recommendations and consider possible amendments to market rules to address those recommendations. This will be balanced against the need to ensure reliability of the electricity network, the impact on market design (including potential unintended adverse effects), and the ability of the IESO and market participants to implement the possible changes. The IESO added that, in some cases, the IESO’s own assessments found that implementing certain changes recommended by the OEB Panel would have compromised the reliability of Ontario’s electricity system. The IESO attributed this to the different mandates of the OEB Panel and the IESO. The OEB Panel looks at the electricity system from a market efficiency standpoint while the IESO must consider a broader range of factors. Most importantly, it must ensure the reliability of the grid.

The Committee believes that it is important to achieve and maintain both efficiency and reliability in Ontario’s electricity market system. However, the OEB and IESO should still attempt to address and, where feasible, implement the OEB Panel’s recommendations.

Committee Recommendations

The Standing Committee on Public Accounts recommends that:

1.    The IESO provide the Committee details on the approach it takes when deciding whether or not to implement a recommendation submitted by the OEB Market Surveillance Panel.

2.    The OEB provide the Committee with its rationale for having never revoked a market rule change.

3.    The Ministry of Energy provide the Committee, when available, the results of its review of the Electricity Act, 1998 concerning the market rule amendment process and the legislative authority of the OEB.

Standby Cost Recovery Program

The audit found that the IESO has not fully acted on recommendations from the OEB Panel to scale back the Standby Cost Recovery Program. The program continues to pay gas generators an average of about $30 million more per year than necessary. For example, of the about $600 million of costs paid under this program between 2006 and 2015, nine gas and coal generators claimed as much as $260 million in ineligible costs. The IESO recovered only about $168 million, or about two-thirds of this amount.

In its response to the Auditor’s recommendations, the IESO stated that it will meet with the OEB Panel in April 2018 to present a detailed analysis supporting the rationale for maintaining a real-time generator commitment mechanism. The IESO added that it had implemented a new cost recovery framework for this program on August 1, 2017. Under this framework, eligible costs are set and approved in advance of participating in the program for each participant. The IESO noted a drop in program costs from $61 million in 2014 to $22 million in 2017.

Through its Market Renewal initiative, the IESO will replace the Standby Cost Recovery Program with the Enhanced Real-Time Unit Commitment program. The IESO described this new program as a more efficient and transparent form of unit commitment. The IESO added that until fundamental changes can be made, the current program is necessary to maintain reliability and to comply with mandatory continent-wide power system reliability standards. The IESO expects to have the new program in place in 2020.

Committee Recommendations

The Standing Committee on Public Accounts recommends that:

4.    The IESO

a)    describe its new cost recovery framework for the Standby Cost Recovery Program; and

b)   provide the Committee with the total costs of the Standby Cost Recovery Program in 2017.

5.    The IESO provide a rationale for the continued usage of the Standby Cost Recovery Program.

Lost Profit Recovery Program

The Auditor noted that the OEB Panel had repeatedly warned the IESO about generators and large industrial consumers taking advantage of the Lost Profit Recovery Program since it began in 2002. Investigations by the OEB Panel found misuse of this program.

In response to the Auditor’s recommendations, the IESO stated that it has acted on a number of the recommendations made by the OEB Panel relating to the Lost Profit Recovery Program and has implemented more than a dozen market rule amendments regarding the program. The IESO cited the following excerpt from a December 2016 OEB Panel report: “many of the most problematic issues associated with the CMSC [Lost Profit Recovery Program] regime have been brought to an end—in large measure as a result of the Panel having identified these situations, and the IESO having acted to eliminate them.”

The IESO added that the expected introduction of a single schedule market—a part of its Market Renewal initiative—would eliminate the need for the Lost Profit Recovery Program. 

Committee Recommendation

The Standing Committee on Public Accounts recommends that:

6.    The IESO provide a rationale for the continued usage of the Lost Profit Recovery Program.

Market Renewal Working Group

The Market Renewal initiative is an IESO initiative aimed at addressing known market inefficiencies with the current market design. The audit found that there is little representation of ratepayers’ interests on the 23-member working group tasked with advising the IESO on the future design of the electricity market. Some members of this group, nominated by the IESO, work for companies that have been, or are being, investigated for benefiting financially from existing market design problems.

In its response, the IESO noted that in December 2017, a member representing low volume consumers was added to the Market Renewal Working Group. In addition, the IESO will complete a general review of its engagement strategy with an implementation date of third quarter of 2018. The IESO added that the engagement strategy will continue to be aligned with its engagement principles and ensure wide representation from market participants, sector stakeholders, and other stakeholders such as low volume consumers.

IESO Oversight Division

The Auditor noted that the IESO Oversight Division’s enforcement actions have been limited due to a lack of staff, high employee turnover, and fewer investigative powers compared with the OEB Panel. For example, an average of 30% of the Division’s employees has left each year since 2012 because about a third of the Division’s staffing allocation are for temporary positions only.

In its response to the Auditor’s recommendations, the IESO Oversight Division will complete a risk and resourcing assessment in the first quarter of 2018 to identify opportunities to convert contracted staff to regular status and increase the total level of resources to the enforcement and oversight functions.


 

The Ministry of Energy explained that it is working closely with the IESO in reviewing the appropriate role and legislative authority of the IESO Oversight Division in order to ensure that there are effective and efficient investigations of potential abuses of market rules.

The audit also found that the IESO Oversight Division’s computer system lacked functionality and could no longer support the Oversight Division’s oversight activities.

In its response, the IESO stated that substantial technical support has been provided to the IESO Oversight Division to enable the development of technical business requirements geared towards an enforcement support tool. On a pilot basis, a proposed tool is being used and the IESO expects to complete its internal assessment of this tool by the second quarter of 2018.

Committee Recommendations

The Standing Committee on Public Accounts recommends that:

7.    The IESO provide the Committee with a description of the Oversight Division’s new computer system;

a)    the expected date for full implementation; and

b)   a summary of its plans for providing IT support on the new system.

Industrial Conservation Initiative

The audit found that the expansion of the Industrial Conservation Initiative (ICI) has led to increases in electricity charges of residential and small-business ratepayers while decreasing those of large industrial ratepayers. Since its launch in January 2011, the ICI has been expanded three times to make more industrial ratepayers eligible.

In its response, the Ministry of Energy explained that the ICI has been successful at reducing peak electricity demand, which benefits the system by reducing the need for peaking generation. This in turn puts downward pressure on electricity system costs. The IESO estimated that ICI reduced peak demand by about 1,300 megawatts in 2016. The Ministry stated that ICI supports a fair cost allocation framework as consumers who are contributing the least to peak demand pay a smaller portion of these related long-run costs. The Ministry added that the IESO publishes the allocation of global adjustment costs each month on its website, as well as the consumption for each class of consumer.

The Ministry explained that the benefit for residential and small-business consumers would not be influenced by the expansion of the ICI. The Ontario Fair Hydro Plan reduced electricity bills for residential consumers by an average of 25% and will hold any increases to the rate of inflation for four years.

The Ministry continues to monitor and report on the impact of the ICI program on the electricity system, including reductions in peak demand and impacts on all classes of electricity consumers. The results of the ICI program can be seen in monthly IESO reports and the quarterly Ontario Energy Report.

Committee Recommendation

The Standing Committee on Public Accounts recommends that:

8.    The Ministry of Energy provide an analysis of the expected long-term impact of the expansion of the Industrial Conservation Initiative on residential and small-business ratepayers.

Cybersecurity

The Auditor found that while the IESO’s cybersecurity system complied with power grid reliability standards, improvements would help it protect against the risks of cyberattacks. In particular, the Auditor noted that the IESO could improve cybersecurity by creating a senior executive position accountable for cybersecurity, increasing its cybersecurity staff, and having an IT cybersecurity vendor on standby. Further, it could procure technology that monitors users’ access to confidential information and do more to protect backup tapes and safeguard confidential information.

In its response to the Auditor’s recommendations, the IESO stated that it complies with all applicable North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection standards, which include standards for cybersecurity. However, the IESO outlined a number of undertakings concerning cybersecurity that address the Auditor’s recommendations.

Senior-level Position

The IESO stated that it had begun the process of recruiting a new Chief Information Officer (CIO) with an increased focus on cybersecurity. The target date for the appointment of the CIO is by the end of the first quarter of 2018. The IESO added that it is also looking to establish a senior-level position for cybersecurity who will report to the CIO. The target date for this role is the first quarter of 2018.

The IESO further explained that the successful candidate in the CIO position would be an experienced senior technology executive with a deep understanding of critical infrastructure protection environments and experience in directing enterprise-wide cybersecurity management programs.

Staffing Levels

The IESO had begun implementing an independent consultant’s recommendation to increase the number of current cybersecurity staff. The IESO has retained the services of a cybersecurity vendor to augment the existing staff in the event of a major cybersecurity event. Also, the IESO has launched a competitive process to retain a cybersecurity third-party vendor that will, in conjunction with IESO staff, provide a robust security operations center enabling 24/7/365 real-time cybersecurity monitoring.

IT Project Planning

The IESO committed to ensuring there is a “cybersecurity by design” approach in all of its information technology (IT)-related projects. That means ensuring that the cybersecurity requirements are being considered early in the process of any new IT program design and that sufficient cybersecurity staff are allocated at this important part of any project. This will be further facilitated by the IESO’s new Project Management Office, which was formed in the fourth quarter of 2017.

The incoming CIO and senior-level cybersecurity resource will be tasked with overseeing that security practices are being built-in to the IESO’s project management program and individual IT project lifecycles. The IESO will also be developing a best practices guide for the sector on cybersecurity risks in the supply chain. This would be applicable to the vendor supply chain that delivers industrial control system hardware, software, and computing and networking services associated with both the bulk system operations and traditional enterprise environments. The guide is expected to be in place by the end of 2018.

Monitoring of User Access

The IESO has procured robust detection technology that has the ability to identify activity that could lead to breaches of confidential information or compromise the integrity of the IESO’s IT environments. Through the delivery of the Advanced Malware project, the detection technology is now in place. The IESO added that it is making minor refinements to the Advanced Malware system and project closure is planned for the end of the first quarter of 2018.

External Vendors

The IESO indicated that it is in the process of developing and implementing supply chain risk management measures that comply with North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection Supply Chain risk standards, which will also include processes that are responsive to the Auditor’s recommendation.

In addition, the IESO noted that it is expanding its cybersecurity governance framework over the next two to three years to meet the National Institute of Standards and Technology (NIST) Cybersecurity framework that will help assess and mitigate vendor risks to the supply chain. This framework would establish effective security governance around external vendors. The plan associated with this will be developed by the end of 2018.

Backup Tapes

The IESO has eliminated the use of tape-based backups in favour of system and data redundancy across two highly available and redundant data centers. The IESO added that it would continue to investigate the feasibility of storing all legacy backup tapes off-site and to protect its tapes with encryption.


 

Consolidated list of Committee Recommendations

The Standing Committee on Public Accounts recommends that:

  1. The IESO provide the Committee details on the approach it takes when deciding whether or not to implement a recommendation submitted by the OEB Market Surveillance Panel.
  2. The OEB provide the Committee with its rationale for having never revoked a market rule change.
  3. The Ministry of Energy provide the Committee, when available, the results of its review of the Electricity Act, 1998 concerning the market rule amendment process and the legislative authority of the OEB.
  4. The IESO

a)    describe its new cost recovery framework for the Standby Cost Recovery Program; and

b)    provide the Committee with the total costs of the Standby Cost Recovery Program in 2017.

  1. The IESO provide a rationale for the continued usage of the Standby Cost Recovery Program.
  2. The IESO provide a rationale for the continued usage of the Lost Profit Recovery Program.
  3. The IESO provide the Committee with a description of the Oversight Division’s new computer system;

a)    the expected date for full implementation; and

b)    a summary of its plans for providing IT support on the new system.

  1. The Ministry of Energy provide an analysis of the expected long-term impact of the expansion of the Industrial Conservation Initiative on residential and small-business ratepayers.