FERC, CFTC, and State Energy Law Developments

On the heels of the news reports describing cyberattacks on the energy sector that have continued to accumulate over the last few years, the US Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) issued a technical alert on March 15 describing ongoing attacks on critical infrastructure by hackers associated with the Russian government. The alert described the cyberattacks as part of a “multi-stage intrusion campaign by Russian government cyber actors” that targeted the energy sector networks, as well as computer systems used by entities in the nuclear, water, aviation, and critical manufacturing sectors. The alert is the latest in a string of reported cyberattacks on industrial control systems (ICS) in recent years, and can only serve to ratchet up the regulatory pressure on these industries to demonstrate their resilience in the face of these well-organized attacks.

The North American Electric Reliability Corporation (NERC) filed a Notice of Penalty summarizing an agreement by an unidentified electric utility to pay a $2.7 million penalty in connection with self-reported violations of the Critical Infrastructure Protection reliability standards related to sensitive data exposure by a vendor. Although the utility did not directly cause the improper data handling—and indeed the violation resulted from vendor noncompliance with utility policies—the Western Electricity Coordinating Council nevertheless concluded that the utility failed to adequately implement its information protection program by not preventing or immediately detecting the vendor’s actions and submitted the settlement to NERC. 

For more detail, read our LawFlash.

The Federal Energy Regulatory Commission (FERC) issued an order on January 18 approving four Emergency Operations (EOP) reliability standards: EOP-004-4 (Event Reporting), EOP-005-3 (System Restoration from Blackstart Resources), EOP-006-3 (System Restoration Coordination), and EOP-008-2 (Loss of Control Center Functionality). The newly-approved standards are intended to enhance the requirements for system restoration and related personnel training.

At today’s open meeting, the Federal Energy Regulatory Commission (FERC) proposed to approve new Critical Infrastructure Protection (CIP) Reliability Standards developed by the North American Electric Reliability Corporation (NERC) to protect the cybersecurity of the supply chains for critical utility systems. While recognizing the benefits of using a global supply chain to produce the assets used to operate the bulk electric system, FERC staff’s accompanying presentation recognized that relying on a global supply chain “also enables opportunities for adversaries to directly or indirectly affect the management or operations of generation and transmission companies in a manner that may result in risks to end users, such as through the insertion of counterfeits, unauthorized production, tampering, theft, or insertion of malicious software.”

Under a notice of proposed rulemaking to be released today, December 21, the Federal Energy Regulatory Commission (FERC) is proposing to direct the North American Electric Reliability Corporation (NERC) to revise the Critical Infrastructure Protection (CIP) reliability standards to require electric utilities to report all cyberattacks on the electric security perimeters surrounding their key electric infrastructure as well as the associated electronic access control and monitoring devices that protect those perimeters.

As evidence that cyberattacks continue to threaten electric infrastructure in the United States, a report issued on December 14 by cybersecurity firm FireEye indicates that critical infrastructure industrial control systems (ICS) could be susceptible to a new type of malware. FireEye reported that the malware—dubbed “TRITON”—triggered the emergency shutdown capability of an industrial process within a critical infrastructure ICS. This is not the first time that hackers have successfully targeted ICS. In 2013, hackers believed to be operating on behalf of a state-actor managed to take partial control of the Bowman Avenue Dam near Rye Brook, New York. More recently, reports emerged this past summer that hackers gained access to the operational grid controls of US-based energy firms. Because of the destructive potential of these types of breaches, critical electric and other utility infrastructure will remain highly prized targets for future cyberattacks.

As the pace of reported cyberattacks on ICS continues to pick up, scrutiny of electric utilities’ compliance with the Critical Infrastructure Protection (CIP) reliability standards by the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC) is likely to increase. It is highly likely that electric utilities will receive data requests or informal outreach from FERC or NERC in the near future to determine whether those utilities have similar equipment that could be exploited, and if so, what steps they have taken to mitigate the threat. Even in the absence of such requests, these events provide a good opportunity for electric utilities to test the sufficiency of their CIP compliance programs in identifying and remediating such threats.

The North American Electric Reliability Corporation (NERC) filed a petition on September 26 requesting approval from the Federal Energy Regulatory Commission (FERC or the Commission) for a suite of Reliability Standards that focus on vulnerabilities in vendor products and services and would regulate the utility procurement process.

Read the full LawFlash.

On September 29, Secretary of Energy Rick Perry invoked rarely used statutory authority to direct the Federal Energy Regulatory Commission to initiative a rulemaking to enable generation assets in RTOs and ISOs to receive payments for reliability and resiliency benefits that DOE views as uncompensated under current market rules.

If the proposed rules are adopted, they could provide significant economic support to coal and nuclear generation in organized markets.

Read the full LawFlash

On September 12, 2017, FERC and NERC released a joint statement and guidance encouraging ongoing interutility cooperation among all utilities in response to Hurricane Irma, which ravaged areas in Florida and Georgia, neighboring states, Puerto Rico, and US territories in the Caribbean. The statement emphasized that the utility response to Hurricane Irma will likely be among the largest industry restoration efforts in US history. In it, FERC and NERC encourage utilities to lend personnel skilled in vegetation management to those utilities in need as a result of the hurricane.

On June 8, the North American Electric Reliability Corporation (NERC) released its report on the loss of 1,200 MW of solar generation in southern California during a system disturbance that unexpectedly caused inverters at solar generation facilities to trip or momentarily cease to operate. The report provides solar plant owners and engineers with recommendations to prevent future occurrences. According to NERC, inverter disconnect events pose an increasing reliability risk given the expansion of solar generation.

Growing solar penetration has made the response of solar generators to system disturbances more critical. If NERC and utility-scale solar generators adopt the report’s recommendations, the likelihood of both recurrences and government-imposed regulations will be reduced. The Federal Energy Regulatory Commission’s (FERC’s) recent orders requiring renewable generation to promote frequency response (Docket No. RM16-6), reactive power (Order No. 827), and ride-through capability (Order No. 828) indicate a willingness to impose regulatory requirements on renewable generation where FERC sees it as necessary to preserve system reliability. Separate and apart from NERC action and any voluntary industry response, the report may lead FERC to consider such action.

Continue reading the LawFlash.