FERC, CFTC, and State Energy Law Developments

FERC recently approved proposed Reliability Standard CIP-008-6, which expands the mandatory reporting requirements for Cyber Security Incidents that attempt to compromise the operation of the bulk power system. Under the new standard, electric utilities will need to implement more comprehensive internal controls for identifying, reviewing, and reporting cyber incidents and attempted cyber intrusions than are currently required. The new standard goes into effect on January 1, 2021.

As we reported, NERC developed the revised standard in response to the Commission’s directive to broaden the scope of mandatory reporting of Cyber Security Incidents. In particular, the Commission was concerned with the risk posed by malicious intrusion attempts that might facilitate subsequent efforts to harm the reliable operation of the bulk power system.

The US Environmental Protection Agency (EPA) issued three rules on June 19 that may give utilities new reasons to consider investing in certain plant modifications and reassessing the projected lifespans of their facilities. The rules also affect each state’s resource planning process and may contribute to changes in a state’s projected energy resource mixes. In response to the rules, utilities should be prepared for possible changes to state policies defining what constitutes “clean” energy and supporting reliability. The rules are intended to go into effect 30 days from their issuance. However, the implementation timeline for the rules is not certain because several states and organizations have stated they intend to challenge the rules in the federal courts.

The supply chain risks facing electric utilities have long been a concern for industry stakeholders and regulators alike. Reflecting those concerns, NERC submitted a report on May 28 to FERC recommending the expansion of requirements addressing supply chain cybersecurity risks for electric utilities, concluding that the scope of those requirements needed to expand to match the scope of the cybersecurity risk. The development of such revised standards will itself be a lengthy process and subject to additional FERC review.

A recent policy statement from the Office of Management and Budget (OMB) instructs departments and agencies—including independent agencies like FERC—to submit “guidance documents, general statements of policy, and interpretive rules” to the OMB’s Office of Information and Regulatory Affairs (OIRA) for prepublication review. It also establishes guidelines for the OIRA to apply to properly classify regulatory actions and determine whether they are “major” rules for purposes of the Congressional Review Act (CRA). This major determination process will take full effect on May 11, 2019.

FERC issued a Notice of Inquiry (NOI) on March 21 seeking stakeholder comment on the scope and implementation of its electric transmission infrastructure development incentives regulations and policy. The NOI seeks answers to whether and how FERC should update its rules and policies in this area through more than 100 questions organized into four broad categories:

  • FERC’s incentive policies and how it should approach evaluating applicants’ requests for transmission development incentives, including its Return on Equity (ROE) adder policy
  • What expected benefits or project characteristics warrant incentives, including whether the Commission should consider reliability benefits, economic efficiency benefits, security, or resilience in that determination
  • Whether existing incentives, including the ROE adder, remain relevant and appropriate today
  • Whether particular types of infrastructure development incentives should automatically sunset, and under what certain circumstances that should happen

On February 21, FERC issued an order[1] on rehearing and clarification of Order No. 845,[2] which was issued in April 2018, and reformed certain parts of the large generator interconnection rules. As we previously reported, the reforms of Order No. 845 were intended to improve the efficiency of processing interconnection requests, maintain reliability, balance the needs of interconnection customers and transmission owners, and remove barriers to resource development. In Order No. 845-A, FERC generally affirmed Order No. 845 and denied most of the rehearing requests, but did grant clarification and rehearing in limited respects. The revisions and clarifications in Order No. 845-A largely preserve the reforms and explain how certain reforms should be implemented. Order No. 845-A will become effective 75 days after publication in the Federal Register. Transmission providers are required to submit compliance filings by May 22, 2019.

FERC adopted a new rulemaking on February 21 that will substantially simplify requirements applicable to persons holding “interlocking” director and/or officer positions involving more than one public utility, or a public utility and an electric equipment supplier.[1]

Under the Federal Power Act, a person may not hold a director or officer position with one public utility and simultaneously hold another “interlocking” director or officer position with (1) any other public utility; or (2) certain suppliers of electrical equipment, without first receiving FERC authorization.[2] Pre-incumbency applications to FERC are required for interlocks, except in cases in which only certain positions with affiliated public utilities are held, and in those cases pre-appointment affidavit filings and disclosures must be publicly submitted to FERC as “informational reports.”[3] In general, even affiliated utility appointments must also be annually reported to FERC; FERC’s interlock requirements include both initial application (or informational reports) and annual disclosure filings.[4] If an incumbent position-holder is to be appointed to a new entity within a group of affiliated public utilities, then new affidavit filings and “informational reports” will typically be required.

On October 18, the Federal Energy Regulatory Commission (FERC or Commission) issued Order No. 850, adopting a suite of reliability standards proposed by the North American Electric Reliability Corporation (NERC) to address the cybersecurity risks posed by supply chains for industrial control system assets and services in critical electric utility environments. The final rule largely adopts the proposals from the Commission’s Notice of Proposed Rulemaking (NOPR). But the Commission also directs NERC to expand the scope of the new requirements to include Electronic Access or Control Monitoring Systems (EACMS) and to evaluate the need to further expand the scope of the requirements to include Physical Access Control Systems (PACS) and Protected Cyber Assets (PCAs).

Despite fears that the Commission would shorten the implementation period for the new requirements, the Commission adopted the 18-month implementation period that was originally proposed by NERC.

The North American Electric Reliability Corporation (NERC) on September 18 requested Federal Energy Regulatory Commission (FERC) approval of a new Critical Infrastructure Protection (CIP) Reliability Standard, CIP-012-1. The proposed standard would require electric utilities with defined “Control Centers” to implement controls that protect sensitive data communicated between any applicable control centers. Driving the standard is a concern that these control centers can only perform their real-time reliability functions if they can receive and transmit sensitive operational data in a secure manner.