FERC has issued its final rule paving the way for incentive-based rate treatment for electric utilities that make certain voluntary cybersecurity investments. As we first noted in 2020 when describing the proposed rule, the final rule provides a new mechanism for promoting cybersecurity of the bulk-power system by rewarding utilities for proactively enhancing their cybersecurity programs beyond the mandatory requirements of the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) reliability standards.
FERC, CFTC, and State Energy Law Developments
There are no unimportant North American Electric Reliability Corporation (NERC) reliability standards, but from time to time, NERC and the Regional Entities (Regions) place greater emphasis on certain reliability standards in response to events affecting the grid. With headline-grabbing physical attacks on power substations across the country in recent months, one of NERC’s greatest current priorities is evaluating the effectiveness of its physical security standards, most notably CIP-014.
The Cybersecurity and Infrastructure Security Agency (CISA) issued a request for information (RFI) on the new cyber incident reporting requirements for critical infrastructure owners as required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).
As has been reported, a recent ransomware attack has caused an interstate pipeline and fuel supplier to much of the eastern United States to shut down its operations. Although the attack did not compromise operational systems, the company opted to cease operations as a precautionary measure.
The US Department of Energy submitted a report to the president last month on “Economic and National Security Impacts under a Hydraulic Fracturing Ban.” This 80-page report analyzed the effects of a hypothetical United States ban on high-volume hydraulic fracturing technology used with any new or existing onshore wells starting in 2021 through 2025.
The US Congress adopted extensive federal energy policies in the Energy Act of 2020 (Energy Act), which President Donald Trump signed into law on December 27 as part of the Consolidated Appropriations Act, 2021.
At its December open meeting, FERC proposed to establish rules for incentive-based rate treatments for voluntary cybersecurity investments by a public utility.
The secretary of the US Department of Energy (DOE) issued an order on December 17 prohibiting electric utilities from installing equipment or components provided by Chinese companies in electric facilities serving designated “Critical Defense Facilities.” Relying on authority from Executive Order 13920 on Securing the United States Bulk-Power System, the order identified threats to the electric supply chain from China and concluded that prohibiting Chinese equipment in these sensitive facilities is necessary to respond to the Chinese government’s plans to undermine the bulk-power system.
A cyberattack on a single gas compression facility resulted in the shutdown of a natural gas pipeline for two days, according to a recent alert from the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
At its open meeting on November 21, FERC announced organizational changes to enhance the agency’s focus on cybersecurity threats and challenges to electric infrastructure. Commission staff unveiled five “focus areas” related to grid cybersecurity and announced organizational changes within the Office of Energy Projects (OEP) and Office of Electric Reliability (OER) designed to better position Commission resources to address cybersecurity concerns.