At FERC’s open meeting on April 19, 2012, FERC approved several orders addressing core aspects of Reliability Standards compliance, including cybersecurity Reliability Standards, compliance registration, and contingency planning issues. The newly approved cybsersecurity Reliability Standards significantly increase the scope of facilities subject to those requirements, the compliance registration decisions clarify the jurisdictional boundary between distribution and transmission facilities, and the planning orders represent a rejection of NERC’s approach to planning for firm load loss following a single contingency.
Please join us for an all-day conference addressing strategies and trends in cyber risk and cybersecurity for the nation's energy infrastructure.
The Obama administration, Congress, and federal regulators continue to increase their focus on cyber risks to U.S. energy infrastructure. At the same time, businesses themselves have sought to increase the resistance of the energy sector to cyber attacks through voluntary public-private partnerships and similar nonregulatory efforts.
On October 13, the U.S. Securities and Exchange Commission (SEC) issued disclosure guidance related to cybersecurity risks and costs that may have far-reaching impacts on electric utilities. For those electric utilities already subject to the North American Electric Reliability Corporation (NERC) cybersecurity requirements, this guidance suggests the need for increased scrutiny of compliance costs and harms resulting from cyber incidents and potential cyber incidents to evaluate appropriate disclosure. With the pending increase in the number of assets covered By the Version 4 Critical Infrastructure Protection (CIP) Reliability Standards, which the Federal Energy Regulatory Commission (FERC) recently proposed to approve, the costs of compliance are likely to significantly increase across the electric utilities industry, affecting a wide variety of SEC registrants subject to FERC's reliability jurisdiction.
On July 19, 2011, following a lengthy consideration of the smart grid interoperability standards proposed By the National Institute of Standards and Technology (NIST), FERC terminated its consideration of the five “families” of proposed interoperability standards, concluding that there was a lack of consensus regarding the standards.
On June 30, 2011, NERC filed its remaining responses to FERC’s recent questions on the expected scope of bulk-power system facilities considered Critical Assets under the proposed CIP-002-4 Reliability Standard. The proposed standard would, for the first time, create bright-line criteria for identifying the facilities subject to NERC’s CIP-002 through CIP-009 Critical Infrastructure Protection Reliability Standards, moving away from the current criteria that grant a great deal of discretion to individual entities.
On June 1, 2011, Morgan Lewis's Energy Practice is hosting an all-day seminar on reliability standards compliance. Discussions will include:
- Emerging NERC compliance issues
- Cyber security compliance issues and preparation for Version 4 standards
- Preparing for NERC Reliability Standards audits
- Impact of Compliance Application Notices on requests for interpretation
- Responding to NERC alerts
- Issues related to NERC event analyses
- Prospects for energy legislation
On October 15, 2010, the North American Electric Reliability Corporation (“NERC”) submitted in Docket No. RM06-22-000, to the Federal Energy Regulatory Commission (“FERC”), a status report concluding that all of the balance of plant within a nuclear facility is subject to the cyber security standards of the Nuclear Regulatory Commission (“NRC”), and not subject to NERC’s Critical Infrastructure Protection (“CIP”) Reliability Standards.
In Order No. 706, FERC directed NERC to determine whether the balance of a nuclear power plant facility is subject to CIP regulation. The purpose of the directive is to assure that there is no regulatory “gap” between the CIP standards and the NRC cyber security regulations. Further, in Order No. 706-B, FERC directed NERC to find “bright-line” criteria to determine whether the balance of a nuclear plant’s equipment is subject to the CIP standards. Read more....
On October 7, 2010 the Federal Energy Regulatory Commission (“Commission”) opened Docket No. RM11-2-000 to initiate rulemaking proceedings concerning Smart Grid Interoperability Standards.
The Energy Independence and Security Act of 2007 (“EISA”) promulgated the policy of the United States to update and modernize the national electric transmission system, and to design a regulatory structure to produce interoperability of smart grid technology, which includes model standards for information management. In furtherance of such policies, the National Institute of Standards and Technology (“NIST”) is directed By EISA to develop smart grid interoperability standards, which are then subjected to the administrative rulemaking process for potential approval when the Commission finds such standards meet a “sufficient consensus.” Although the Commission does not have the authority under EISA to enforce the final standards, it would consider mandating compliance with the standards under its authority delegated By the Federal Power Act.
On June 9, the U.S. House of Representatives passed the Grid Reliability and Infrastructure Defense Act (GRID Act), which is intended to strengthen the U.S. electrical grid against terrorist attacks, cyber threats, electromagnetic pulse weapons, and solar storms. The GRID Act authorizes the Federal Energy Regulatory Commission (FERC) to issue emergency orders to protect critical electric infrastructure, and to take other measures to address current and potential vulnerabilities.
The GRID Act amends the Federal Power Act to permit FERC to issue orders for emergency measures to protect the reliability of either the bulk-power system or critical electric infrastructure whenever the President issues a written directive or determination identifying an imminent grid security threat. FERC’s authority to take such action can be employed without notice or hearing. However, FERC, to the extent practicable in light of the nature of the grid security threat and the urgency for emergency measures, is instructed to consult with certain governmental authorities, including the governments of Canada and Mexico, regarding implementation of such emergency measures. Any orders issued By FERC that implement emergency measures must be discontinued within 30 days of (i) the President providing a directive that an imminent security threat no longer exists, or (ii) FERC determining that the need for emergency measures no longer exists. In no case may a Commission order implementing emergency measures continue for longer than one year. Read more…