At its June 18 open meeting, FERC issued a notice of inquiry seeking public input on cybersecurity-related enhancements to the Critical Infrastructure Protection (CIP) reliability standards. In light of the constantly evolving nature of cybersecurity threats to the bulk power system, FERC is interested in determining whether the current CIP standards adequately address specific cyberrisk areas related to data security and cybersecurity incident detection, containment, and mitigation. In addition, FERC is seeking comment on the potential risk of a coordinated cyberattack on geographically distributed targets.
The Federal Energy Regulatory Commission (FERC) issued a notice on May 20 that it will convene a Commissioner-led technical conference to consider the ongoing, serious impacts that the emergency conditions caused by the coronavirus (COVID-19) pandemic are having on the energy industry. The conference will be free, open to the public, and held remotely on Wednesday and Thursday, July 8-9, 2020. Attendees may preregister online here.
In mid-March the Commission began issuing guidance to address the immediate needs of FERC-jurisdictional entities, including various waivers and extensions necessary to assist energy companies with managing their regulatory responsibilities while dealing with the pandemic. The conference will be more forward-looking, and is expected to focus on the potential longer-term impacts from the pandemic on energy companies, energy markets, energy system reliability, and consumer protection.
President Donald Trump signed an executive order on May 1 declaring that the use of bulk-power system equipment supplied by companies controlled by certain foreign nations poses an extraordinary threat to the US power grid. The order observes that the bulk-power system is a valuable target for malicious actors, and any attack on that system could pose serious risks to the economy, public health and safety, and national security.
In light of those risks, the executive order declares a national emergency with respect to the power grid and moves to ban the unrestricted import or use of bulk-power system electric equipment from foreign adversaries. Although the order calls for coordination among multiple executive branch heads, including the Director of National Intelligence and the Secretary of Homeland Security, it primarily tasks the Secretary of Energy with fulfilling the President’s directives.
In an order issued on April 17, the Federal Energy Regulatory Commission (FERC) agreed to defer implementation of certain cybersecurity and operational reliability standards administered by the North American Electric Reliability Corporation (NERC) that had important compliance milestones later this year, including the suite of supply chain risk management standards that have been under development for several years and were set to take effect on July 1. The move by FERC is intended to provide some measure of relief from impending compliance burdens and to allow electric utilities to focus their resources on responding to the coronavirus (COVID-19) pandemic.
Commission Chairman Neil Chatterjee held a press conference on March 19 to discuss FERC’s work during the current pandemic, provide updates regarding the coronavirus (COVID-19), and respond to questions from the media. According to today’s announcements, FERC plans to keep operating as usual but will provide extensive flexibility to the regulated industry in addressing the effects of the pandemic on FERC-jurisdictional activities.
FERC and NERC issued a joint notice on Wednesday providing compliance flexibility on certain key reliability standard requirements during the ongoing coronavirus (COVID-19) pandemic. Although this guidance can allow utilities to avoid findings of noncompliance for certain requirements where timely compliance activities could be difficult due to personnel shortages and other limitations, this is not a blanket waiver. Instead, utilities must provide written notices of their intent to use this guidance. The content of those notices must be drafted carefully as they will be necessary to demonstrate compliance in future reviews.
The new flexibility is as follows:
- Due to the limited availability of NERC-certified operators, if a utility cannot provide sufficient certified operators to comply with PER-003 due to COVID-19, the use of noncertified operators is permitted through the end of 2020. In order to take advantage of this flexibility, utilities will need to notify their Regional Entities and Reliability Coordinators (ISO-NE and NYISO). Training requirements, such as those in PER-005, continue to apply.
- Because of the resource limitations during this time period, periodic actions required by the reliability standards that must occur between March 1, 2020, and July 31, 2020, can be missed on a case-by-case basis if the activities cannot be performed due to COVID-19. To use this flexibility, utilities will need to notify their regional entities of the specific actions that will be missed. These periodic requirements exist in both the Operating & Planning standards (such as protection system maintenance and testing) and the Critical Infrastructure Protection standards (such as patching and vulnerability assessments).
Following the increased spread of COVID-19 within the United States, the North American Electric Reliability Corporation (NERC) issued a Level 2 Alert on March 10 to all users, owners, and operators of the bulk-power system, outlining a series of recommendations and requiring certain responses from each entity about their plans for continued reliable operation under pandemic circumstances.
Although the Alert focuses on certain practical steps for maintaining electric reliability, it should also prompt electric utilities to consider the way in which that can ensure that the tasks necessary for compliance with mandatory reliability standards can continue to be performed if large percentages of a utility’s workforce cannot be physically in control centers, generation control rooms, or field locations. Thinking through and planning for the compliance program implications of the COVID-19 pandemic in advance of significant outbreaks can assist utilities in maintaining compliance under these circumstances.
Recommended Steps: Maintaining Electric Reliability
The NERC Alert notes that the spread of the virus is likely to increase in the near future, and to address those threats provides six recommendations:
- Utilities should maintain situational awareness of the spread of COVID-19 and follow Centers for Disease Control and Prevention (CDC) advisories in determining whether travel and attendance at events and conferences is appropriate.
- Personnel working at utilities should follow good hygiene practices and implement social distancing. As part of these efforts, utilities should enhance their cleaning practices, with a focus on those areas where utility personnel may be enclosed for extended periods of time, such as control rooms, conference rooms, and vehicles. The Alert also notes that utilities should consider reducing access to their facilities by visitors, and segregating work crew who are on different schedules.
- Business continuity plans should be reviewed to address and prepare for disruptions such as significant staffing constraints and loss of contractor personnel. Notably, the Alert encourages utilities to establish thresholds for implementing remote work and similar workplace flexibility arrangements.
- Utilities should assess their ability to demonstrate resilience in the event they cannot receive ready resupply from supply chains that are often global in nature, particularly where procurement strategies rely in part on “just-in-time” logistics systems. The Alert recommends a review of current inventories, including what is likely to be available from suppliers.
- Utilities should consider whether their planned maintenance and construction activities should go forward on the same schedule, or whether certain projects should be prioritized in light of the ability to schedule outages, reduce the consumption of inventory, and work through workforce limitations.
- Utilities should be aware of a number of cyber-risks related to COVID-19, including the heightened risk that phishing and similar social engineering attacks could take advantage of the heightened anxiety surrounding the pandemic and the need to maintain cyber asset availability in the event of staffing disruption and widespread remote work needs.
The Alert requires utilities to respond to several questions, with responses due on March 20, 2020. The questions ask whether the utility
- has a pandemic response plan;
- has reviewed staffing requirements and resources in preparation for a pandemic emergency from COVID-19;
- would be able to provide mutual aid to other companies if the company’s region is not affected;
- has reviewed supply chains and services for potential disruptions; and
- anticipates other risks to reliability and security from the event.
Compliance Planning Implications
Although the Alert does not directly address compliance planning under pandemic conditions, utilities subject to NERC reliability standards should consider the steps they may need to take to achieve continued compliance in circumstances where personnel shortages may be acute, remote working arrangements may be required, and resupply of key inventory could be difficult to achieve.
Although each utility’s circumstances differ, considering the following issues may be helpful in ensuring compliance during this difficult period and avoiding the expense and time required to resolve instances of noncompliance.
- Stress-Test Your Remote Working. Consider the ability of company networks to handle nearly all of the utility’s personnel working remotely, including through stress-testing remote work capabilities. If there are limitations, consider providing prioritized access to personnel whose access is necessary for achieving compliance, such as personnel responsible for reviewing access logs, trouble-shooting operator and energy management system issues, installing patches, and configuration management.
- Assess the Ability to Supply Sufficient Personnel. Evaluate the ability of the utility’s supply chain to supply needed parts and personnel. For example, if protection system maintenance activities require the replacement of certain parts, consider whether an adequate supply exists without significant resupply. Similarly, if vegetation management requires significant personnel, including contractor personnel, consider how those tasks can be completed within the time frame with a smaller workforce.
- Analyze Changes to Tasks at Remote Sites. For tasks that require significant travel to remote locations, such as patching systems without interactive remote access, consider whether the workforce would be able to support those time-intensive tasks and, if not, consider whether alternatives are available (e.g., the use of patch mitigation plans) or if tasks could be pushed up or pushed out while staying within the necessary time frame.
- Protect Key Teams. Consider methods to separate and protect teams such as restoration teams, construction teams, control center shifts, and the like that are necessary to maintain day-to-day operations for the reliability coordinator, transmission operator, balancing authority, and generator operator functions.
- Determine Minimum Staffing Levels. Consider identifying the minimum staffing level at which certain operational assets can continue to operate safely and in compliance, and below which that asset would be taken offline.
- Expand the Pool of Qualified Personnel. Consider expanding the pool of personnel who have received personnel risk assessments and background trainings for working with assets subject to critical infrastructure protection reliability standards.
- Communicate with Audit Teams. If your utility has an in-person audit or spot check scheduled in the near future, consider outreach to the audit or spot-check team lead to discuss moving to remote reviews that avoid large in-person meetings and travel. For example, audit interviews could be conducted by phone, with evidence presented electronically.
Note that although the NERC Sanction Guidelines would allow NERC and the Regional Entities to considering the extenuating circumstances of a pandemic in assessing a penalty—or foregoing a financial penalty entirely—NERC cannot waive noncompliance, and in many cases the true cost of resolving noncompliance is the reporting, enforcement resolution, and mitigation expense.
As your utility continues its preparation for COVID-19, consider reviewing the additional federal and NERC guidance linked below:
- NERC’s Influenza Pandemic Planning, Preparation, and Response Reference Guide
- Joint NERC-DOE High-Impact, Low-Frequency Event Risk to the North American Bulk Power System
- DHS’s Pandemic Influenza Preparedness, Response, and Recovery Guide for Critical Infrastructure and Key Resources
If you have any questions about reliability compliance or other utility operational or commercial issues under pandemic circumstances, please reach out to any of the authors of this post.
At its open meeting on November 21, FERC announced organizational changes to enhance the agency’s focus on cybersecurity threats and challenges to electric infrastructure. Commission staff unveiled five “focus areas” related to grid cybersecurity and announced organizational changes within the Office of Energy Projects (OEP) and Office of Electric Reliability (OER) designed to better position Commission resources to address cybersecurity concerns.
New Strategic Focus Areas
Commission staff developed the following five focus areas based on their review of threat reports (public and nonpublic), global cybersecurity events, North American Electric Reliability Corporation (NERC) CIP standards, and OEP’s specialized security program for hydropower projects.
- Supply Chain/Insider Threat/Third-Party Authorized Access
This is not the first time the Commission has made supply chain and third-party (or vendor) management security a priority. In 2016, the Commission directed NERC to develop mandatory supply chain risk management controls, which have since been approved and are set to take effect next year.
Facing what it deems an “unprecedented number of FOIA requests” for nonpublic information related to utility violations of the North American Electric Reliability Corporation (NERC) critical infrastructure protection (CIP) requirements governing cybersecurity compliance for critical electric infrastructure, FERC Staff has issued a white paper proposing to make publicly available additional information regarding those violations, including the names of the utilities involved. If adopted, this proposal could increase the risk of a serious and successful attack on the nation’s electric infrastructure with no benefit other than a “name and shame” approach to CIP enforcement.
FERC recently approved proposed Reliability Standard CIP-008-6, which expands the mandatory reporting requirements for Cyber Security Incidents that attempt to compromise the operation of the bulk power system. Under the new standard, electric utilities will need to implement more comprehensive internal controls for identifying, reviewing, and reporting cyber incidents and attempted cyber intrusions than are currently required. The new standard goes into effect on January 1, 2021.
As we reported, NERC developed the revised standard in response to the Commission’s directive to broaden the scope of mandatory reporting of Cyber Security Incidents. In particular, the Commission was concerned with the risk posed by malicious intrusion attempts that might facilitate subsequent efforts to harm the reliable operation of the bulk power system.