FERC, CFTC, and State Energy Law Developments

The electric utility industry has spent vast amounts of money on cybersecurity, an investment that has steadily escalated since the Critical Infrastructure Protection (CIP) Reliability Standards became effective in 2008. Those investments, and the increasingly strict CIP Reliability Standards, were intended to address fears that hackers could use the industrial control systems and other computer systems that control the electric system to cause a blackout. Until recently, that threat was hypothetical. Now, for the first time, public reports have emerged of hackers taking down part of an electric grid.

In late December 2015, hackers allegedly infected several of Ukraine’s power authorities, causing blackouts that lasted several hours and affected thousands of people. Ukrainian authorities confirmed that malicious software infected several control systems, which disabled those systems and resulted in a power outage. The malware, known to have been involved in attacks since 2007, was reportedly embedded in Microsoft Office documents and was retrofitted to include code targeting power stations and other critical infrastructure. Although the geopolitical circumstances in Ukraine are drastically different from those faced by electric utilities in the United States, the attack provides a “proof of concept,” demonstrating that it is possible for an attacker to cause a widespread blackout—the threat is no longer hypothetical.

The newly passed "highway bill" (Fixing America’s Surface Transportation Act) amends the Federal Power Act to incorporate new energy security provisions.

The provisions aim to strengthen the federal government’s authority over electric grid emergency response, facilitate coordination among federal agencies on reliability issues, enhance the protocols for protecting and sharing Critical Energy Infrastructure Information, and exempt utilities from environmental penalties when operating subject to Department of Energy emergency directives.

Please join us for a one-hour webinar about the new provisions and how they will likely affect electric utilities.

Topics will include:

  • An overview of the new provisions
  • The provisions’ background
  • The regulatory steps required

CLE credit: CLE credit in CA (1.0 hour), FL, IL, NJ (via reciprocity), NY, PA, TX, and VA is currently pending approval.

For more information, contact Mary Ann Huntington at +1.202.739.5622 or mhuntington@morganlewis.com.

Register here >>

If signed into law, measures would grant the DOE authority to order utilities to implement emergency protective actions.

Early yesterday morning, H.R. 22 (the Highway Bill) was amended on a voice vote to include an amendment (House Amendment 828) addressing critical energy security issues. Developed by Representative Fred Upton (R-MI) and sponsored by Representative Markwayne Mullin (R-OK), the amendment aims to strengthen the federal government’s authority over electric grid emergency response, facilitate coordination among federal agencies on reliability issues, and enhance the protocols for the protection and sharing of Critical Energy Infrastructure Information (CEII).

The amendment would authorize the Department of Energy (DOE) to order utilities, the North American Electric Reliability Corporation (NERC), or NERC Regional Entities to implement emergency security measures for up to 15 days at a time. Such orders would issue upon a written determination from the President identifying a grid security emergency, which could include malicious electronic or physical attacks or natural events (e.g., geomagnetic storm events) that could disrupt critical electronic devices or communications networks. The amendment provides for the DOE to reissue emergency orders for consecutive 15-day periods if each time the President finds that the emergency is continuing.

To streamline emergency response actions, the amendment would exempt utilities from penalties for violations of Federal Energy Regulatory Commission (FERC or Commission) orders and NERC Reliability Standards due to implementation of emergency security measures directed by the DOE. The amendment acknowledges that utilities may incur substantial costs while implementing emergency orders that may not otherwise be recoverable through existing regulated or market rates. To address this gap, the amendment’s cost-recovery provisions would direct the Commission to establish a separate mechanism that permits recovery of those emergency-related costs, subject to public notice and comment procedures.

If enacted, the bill would also amend section 202(c) of the Federal Power Act, 16 U.S.C. § 824a(c), to provide utilities with protection from environmental penalties while operating under an emergency order issued by the Commission. This would most likely apply in circumstances where DOE directs a generator to operate to ensure system reliability but that generator is required to reduce operations due to environmental limitations. Under existing law, the generator would be required to run but would simultaneously incur penalties for operating in violation of the environmental laws.  

The amendment also aims to strengthen existing CEII protections. Mandatory disclosures of CEII information under the Freedom of Information Act or other federal and state mandatory disclosure requirements would be prohibited. Additionally, the amendment requires the Commission to segregate CEII and non-CEII within the agency and to require sanctions for knowing and willful disclosure of CEII by Commissioners, officers, employees, or agents of FERC.

Not all of the amendment’s provisions seek to unconditionally limit access to information. For example, federal agencies would be allowed to provide temporary access to classified information to entities subject to emergency grid security measures. The amendment also encourages the voluntary sharing of CEII (e.g., between federal and state authorities or between the Commission and cross-border authorities). Additionally, CEII designations by the Commission would last no longer than five years (unless redesignated) and would also be subject to judicial review.

Last, the amendment addresses the reliability risks posed by the unexpected loss of large power transformers. The amendment would require the DOE, FERC, NERC, and electrical infrastructure operators to develop a plan for storing spare large power transformers and emergency mobile substations that can be quickly deployed to temporarily replace damaged large power transformers and substations that serve grid-critical functions. The plan would need to determine, among other things, the number of spare transformers and mobile substations necessary to restore grid resiliency following an outage, the optimal locations of storage facilities, the relative ease and speed of deploying spare transformers and mobile substations, and the cost of implementing such a plan.

Read House Amendment 828.

The D.C. Circuit concluded that sovereign immunity prevents FERC and NERC from imposing monetary penalties on federal agencies that violate Reliability Standards.

Resolving a dispute between the Federal Energy Regulatory Commission (FERC) and the Southwestern Power Administration (SWPA), the U.S. Court of Appeals for the District of Columbia Circuit concluded that federal sovereign immunity prevents FERC, as well as the North American Electric Reliability Corporation (NERC), from imposing monetary penalties on federal agencies that violate mandatory Reliability Standards. As a result of the August 22 decision, federal agencies that are users, owners, and operators of the bulk-power system, such as the various federal power marketing administrations, will not be subject to fines if they violate any of the dozens of Reliability Standards that regulate everything from real-time power system operations to electric utility cybersecurity. Although these agencies are still subject to other enforcement mechanisms, such as compliance directives, the major enforcement tool available to FERC and NERC no longer applies to them.

In this case, the SWPA, which markets hydroelectric power, was fined $19,500 for violating Reliability Standards. FERC upheld the penalty, which had been filed by NERC, on the grounds that section 215 of the Federal Power Act requires the SWPA to comply with Reliability Standards and FERC has the authority to enforce those standards, including through monetary fines, against any entities subject to FERC’s reliability jurisdiction.

On August 15, the U.S. Court of Appeals for the District of Columbia Circuit rejected the challenges filed By various utilities, industry groups, and state commissions that claimed that the Federal Energy Regulatory Commission (FERC or the Commission) overstepped its authority when promulgating Order No. 1000.[1] The court’s decision in South Carolina Public Service Authority v. FERC,[2] which FERC Chairman Cheryl LaFleur hailed as “critical to the Commission’s efforts to support efficient, competitive, and cost-effective transmission,”[3] substantially strengthens FERC’s ability to establish the structures necessary to encourage and facilitate competitive transmission planning and development.

On July 17, the Federal Energy Regulatory Commission (FERC) proposed to approve[1] a new mandatory reliability standard that would require electric utilities to protect their transmission facilities and control centers against physical threats. Although FERC did not take issue with most of the language in the CIP-014-1[2] standard proposed By the North American Electric Reliability Corporation (NERC), FERC did express concern over the ability of utilities to identify their own critical facilities, even when that determination is subject to third-party review. To address that concern, FERC proposed to direct NERC to modify the standard so that FERC, or other appropriate federal agencies, could direct electric utilities to add additional facilities to their list of facilities that need physical security protections.

In a Notice of Proposed Rulemaking issued on June 19, FERC proposed to approve a new Reliability Standard—MOD-001-2 (Modeling, Data, and Analysis)—to govern the calculation of the various components of Available Transfer Capability (ATC), including Total Transfer Capability, Existing Transmission Commitments, Transmission Reliability Margin, and Capacity Benefit Margin. If approved, MOD-001-2 will replace multiple existing Reliability Standards that currently address these issues, including MOD-001-1a, MOD-004-1, MOD-008-1, MOD-028-2, MOD-029-1a, and MOD-030-2.

FERC has approved a new Reliability Standard to address Geomagnetic Disturbances (GMDs). EOP-010-1 (Geomagnetic Disturbance Operations) is the first in a set of Reliability Standards addressing the threat of GMDs to bulk-power system reliability. FERC’s concern with GMDs has been that they can create geomagnetically induced currents in transformers, which can, in turn, increase the absorption of reactive power, create harmonics, and cause transformer spot-heating. Ultimately, the loss of reactive power this causes could result in voltage instability, relay misoperations, and equipment damage.

On August 12, 2013, FERC issued an order extending the deadline for responsible entities to comply with the Version 4 Critical Infrastructure Protection (CIP) Reliability Standards. Responsible entities now have until October 1, 2014 to comply; the previous deadline, established in Order No. 761, was April 1, 2014. The CIP Reliability Standards require the cyber and physical protection of assets critical to the reliable operation of the bulk-power system.

On June 13, 2013, FERC approved a one-year extension for utilities to prepare to implement the new definition of the “bulk electric system” (BES). As a result of this order, the new BES definition approved By FERC in Order No. 773 will not go in effect until July 1, 2014.