Choose Site
FERC, CFTC, and State Energy Law Developments
At its December open meeting, FERC proposed to establish rules for incentive-based rate treatments for voluntary cybersecurity investments by a public utility.
Following significant pushback from the regulated community, FERC and NERC Staff jointly announced in a new white paper that filings and other submissions to FERC describing violations of cybersecurity reliability standards would be entirely nonpublic. Under the revised approach, all cybersecurity noncompliance information will be considered CEII and not disclosed in response to FOIA requests.
At its June 18 open meeting, FERC issued a notice of inquiry seeking public input on cybersecurity-related enhancements to the Critical Infrastructure Protection (CIP) reliability standards. In light of the constantly evolving nature of cybersecurity threats to the bulk power system, FERC is interested in determining whether the current CIP standards adequately address specific cyberrisk areas related to data security and cybersecurity incident detection, containment, and mitigation.
The Federal Energy Regulatory Commission (FERC) issued a notice on May 20 that it will convene a Commissioner-led technical conference to consider the ongoing, serious impacts that the emergency conditions caused by the coronavirus (COVID-19) pandemic are having on the energy industry. The conference will be free, open to the public, and held remotely on Wednesday and Thursday, July 8-9, 2020.

President Donald Trump signed an executive order on May 1 declaring that the use of bulk-power system equipment supplied by companies controlled by certain foreign nations poses an extraordinary threat to the US power grid. The order observes that the bulk-power system is a valuable target for malicious actors, and any attack on that system could pose serious risks to the economy, public health and safety, and national security.

In an order issued on April 17, the Federal Energy Regulatory Commission (FERC) agreed to defer implementation of certain cybersecurity and operational reliability standards administered by the North American Electric Reliability Corporation (NERC) that had important compliance milestones later this year, including the suite of supply chain risk management standards that have been under development for several years and were set to take effect on July 1. The move by FERC is intended to provide some measure of relief from impending compliance burdens and to allow electric utilities to focus their resources on responding to the coronavirus (COVID-19) pandemic.
Commission Chairman Neil Chatterjee held a press conference on March 19 to discuss FERC’s work during the current pandemic, provide updates regarding the coronavirus (COVID-19), and respond to questions from the media.
FERC and NERC issued a joint notice on Wednesday providing compliance flexibility on certain key reliability standard requirements during the ongoing coronavirus (COVID-19) pandemic. Although this guidance can allow utilities to avoid findings of noncompliance for certain requirements where timely compliance activities could be difficult due to personnel shortages and other limitations, this is not a blanket waiver. Instead, utilities must provide written notices of their intent to use this guidance. The content of those notices must be drafted carefully as they will be necessary to demonstrate compliance in future reviews.
Following the increased spread of COVID-19 within the United States, the North American Electric Reliability Corporation (NERC) issued a Level 2 Alert on March 10 to all users, owners, and operators of the bulk-power system, outlining a series of recommendations and requiring certain responses from each entity about their plans for continued reliable operation under pandemic circumstances.
At its open meeting on November 21, FERC announced organizational changes to enhance the agency’s focus on cybersecurity threats and challenges to electric infrastructure. Commission staff unveiled five “focus areas” related to grid cybersecurity and announced organizational changes within the Office of Energy Projects (OEP) and Office of Electric Reliability (OER) designed to better position Commission resources to address cybersecurity concerns.