American national security officials believe that spies working on behalf of an adversarial nation-state successfully carried out an attack against US companies by compromising a key hardware supply chain, according to a report issued October 4 by Bloomberg Businessweek. The report details how the attackers implemented a “seeding” attack by installing tiny, malicious microchips on motherboards—a type of computer circuit board that houses processing and other essential components—that were assembled in Chinese factories. The exploit apparently had a ripple effect, as the compromised motherboards were ultimately installed in commercial servers that are widely distributed in the United States. One official estimates that the attack affected almost 30 companies, including a major bank and government contractors, and may have enabled the attackers to communicate with or infiltrate the sabotaged servers.
The North American Electric Reliability Corporation (NERC) on September 18 requested Federal Energy Regulatory Commission (FERC) approval of a new Critical Infrastructure Protection (CIP) Reliability Standard, CIP-012-1. The proposed standard would require electric utilities with defined “Control Centers” to implement controls that protect sensitive data communicated between any applicable control centers. Driving the standard is a concern that these control centers can only perform their real-time reliability functions if they can receive and transmit sensitive operational data in a secure manner.
An amendment to FERC’s M&A statute, Section 203 of the Federal Power Act, was signed into law on September 28. Public Law 115-247 (PL 115-347 or the amendment) makes a minor but helpful change to one provision of FPA Section 203 by immunizing one particular class of transactions from pre-consummation FERC M&A application and approval requirements.
Section 203’s sweep is broad; essentially any direct or indirect “disposition” of voting control over any FERC-jurisdictional “public utility” (almost every US generating company, wholesale power marketer, transmission provider, and traditional franchised utility) requires pre-consummation Section 203 authorization. Only selected types of transactions are exempt, usually those involving smaller “qualifying facility” generators and purely retail businesses and facilities. Some classes of “holding companies” of electric power businesses and assets are also subject to Section 203’s requirements. Numerous technically defined classes of transactions, such as many internal reorganizations, are blanket-authorized under FERC regulations and require no Section 203 applications or orders.
The US Court of Appeals for the Second Circuit on September 27 affirmed a decision of the US District Court for the Southern District of New York dismissing a complaint seeking to invalidate New York’s Zero Emissions Credit (ZEC) program. This decision comes on the heels of a Seventh Circuit decision affirming the validity of a similar ZEC program in Illinois. In its opinion, the Second Circuit noted that its conclusions accorded with the Seventh Circuit’s decision, which we wrote about in an earlier post. Read more.
The Federal Energy Regulatory Commission (FERC) and the US Department of Transportation’s (DOT’s) Pipeline and Hazardous Materials Safety Administration (PHMSA) released a Memorandum of Understanding (MOU) on August 31 to improve coordination throughout the Liquefied Natural Gas (LNG) permit application process for FERC-jurisdictional LNG facilities. The MOU describes FERC and PHMSA’s respective roles and responsibilities concerning siting, construction, and operation of LNG facilities pursuant to currently applicable statutory and regulatory law, and establishes a new coordination framework to streamline the approval process for those facilities. The agencies’ coordination has already helped streamline the environmental review schedules for 12 LNG export terminal applications pending before FERC. Those updated schedules were also released on August 31. The MOU supersedes and provides an updated and more concrete coordination framework than the prior iteration of the agreement between the two agencies that was signed in 1985.
Public comments made last week by Federal Energy Regulatory Commission (FERC) Chief of Staff Anthony Pugliese before the American Nuclear Society indicate that the agency is working with other federal government officials to identify power plants that are “absolutely critical” to the grid, E&E News reported. In particular, Mr. Pugliese revealed that the US Department of Energy and the National Security Council are coordinating with FERC to classify those generators that are vital to ensuring that critical infrastructure, such as hospitals and military bases, remain online and operational. The comments also reflect a related concern that many large gas-fired generators could pose reliability and resiliency risks, as the natural gas infrastructure supporting those plants could be susceptible to physical attacks or cyberattacks.
On August 1, the Federal Energy Regulatory Commission (FERC or the Commission) issued a notice establishing the dates by which certain jurisdictional natural gas pipeline companies must file FERC Form No. 501-G, the “one-time” informational filing the Commission plans to review to ascertain whether the pipelines have, in light of the Tax Cuts and Jobs Act, accounted for reduced federal corporate income taxes in their cost-of-service rates (one-time report). The notice revises the submission dates in FERC Form No. 501-G’s Implementation Guide, which was released alongside FERC’s final rule in Order No. 849, the decision directing the natural gas companies to submit the one-time reports. The final rule is described in more detail in our previous LawFlash.
Under the revised Implementation Guide, natural gas pipeline companies that are required to FERC Form No. 2 or 2-A for calendar year 2017 are organized into three distinct groups. Group I must file FERC Form No. 501-G by October 11, 2018; Group II, by November 8, 2018; and Group III, by December 6, 2018. In its final rule, FERC explained that if a pipeline refuses to promptly submit the one-time report, or fails to correct a patently erroneous or incomplete one-time report, the Commission could consider the pipeline to be in violation of its reporting obligation under FERC’s rules and regulations, provided the Commission does not otherwise grant a waiver for good cause. FERC also emphasized that pipelines may file FERC Form No. 501-G earlier than these dates.
FERC is allowing interested parties to file interventions, protests, and comments in response to the submissions. Those filings will be due 12 days after each pipeline’s one-time report due date.
The Federal Energy Regulatory Commission recently issued two orders intended to alleviate concerns that jurisdictional natural gas pipelines may be over-recovering cost-of-service rates due to (1) a reduction of the federal corporate income tax rate from 35% to 21% under the Tax Cuts and Jobs Act and (2) the DC Circuit Court of Appeals’ decision in United Airlines Inc. v. FERC, which found that FERC’s existing income tax allowance policy, when applied to pass-through entities such as master limited partnerships, creates a possibility of double recovery for income tax allowances under cost-of-service rates. The Commission will now require pipelines to submit informational filings identifying whether the benefits of federal tax reform have been passed on to ratepayers, and has also clarified its guidance that pass-through entity pipelines may eliminate the accumulated deferred income tax component from their rates when they exclude income tax allowances from their costs of service.
The Federal Energy Regulatory Commission (FERC or the Commission) issued Order No. 848 on July 19, directing the North American Electric Reliability Corporation (NERC) to augment the cyber incident reporting requirements under the Critical Infrastructure Protection (CIP) reliability standards. The directive adopts the proposals from the December 2017 Notice of Proposed Rulemaking (NOPR) and reflects the Commission’s view that FERC and NERC need to significantly improve their awareness of the breadth and frequency of the cybersecurity risks that electric utilities encounter.
Read the full Lawflash.