On February 14, a bipartisan group of senators introduced to the U.S. Senate the Cybersecurity Act of 2012, under which the Department of Homeland Security (DHS) would assess the risks and vulnerabilities of critical infrastructure systems and develop security performance requirements for the systems and assets designated as covered critical infrastructure. The bill is sponsored By Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman (I-CT), committee ranking member Susan Collins (R-ME), Commerce Committee Chairman Jay Rockefeller (D-WV), and Select Intelligence Committee Chairman Dianne Feinstein (D-CA). As explained in the statement announcing the measure, "[t]he bill envisions a public-private partnership to secure those systems, which, if commandeered or destroyed By a cyber attack, could cause mass deaths, evacuations, disruptions to life-sustaining services, or catastrophic damage to the economy or national security."
Please join us for an all-day conference addressing strategies and trends in cyber risk and cybersecurity for the nation's energy infrastructure.
The Obama administration, Congress, and federal regulators continue to increase their focus on cyber risks to U.S. energy infrastructure. At the same time, businesses themselves have sought to increase the resistance of the energy sector to cyber attacks through voluntary public-private partnerships and similar nonregulatory efforts.
On October 13, the U.S. Securities and Exchange Commission (SEC) issued disclosure guidance related to cybersecurity risks and costs that may have far-reaching impacts on electric utilities. For those electric utilities already subject to the North American Electric Reliability Corporation (NERC) cybersecurity requirements, this guidance suggests the need for increased scrutiny of compliance costs and harms resulting from cyber incidents and potential cyber incidents to evaluate appropriate disclosure. With the pending increase in the number of assets covered By the Version 4 Critical Infrastructure Protection (CIP) Reliability Standards, which the Federal Energy Regulatory Commission (FERC) recently proposed to approve, the costs of compliance are likely to significantly increase across the electric utilities industry, affecting a wide variety of SEC registrants subject to FERC's reliability jurisdiction.
On August 29, the Commission approved a $350,000 settlement between the Grand River Dam Authority, NERC, and FERC to settle allegations of Reliability Standard violations By the Grand River Dam Authority, an Oklahoma state agency. NERC and the Commission ultimately concluded that the Grand River Dam Authority violated 52 Requirements in 19 Reliability Standards. This appears to be the first settlement of a reliability investigation By the Commission that was not explicitly tied to a bulk-power system incident.
On August 16, FERC and NERC issued a joint report on the outages and curtailments that occurred in the southwest during the extraordinary cold snap in early February 2011.
The report summarizes the events that occurred in early February, describing the scope of the generator outages that occurred and the natural gas production that declined due to the extreme cold weather. As noted in the report, the cold weather led to the unavailability of approximately one-third of Electric Reliability Council of Texas (ERCOT) generation at one point during the event, and spot prices in the ERCOT market hit $3,000 per MWh. In addition, the loss of natural gas production resulted in the curtailment of 50,000 customers in the southwest.
At the NERC Board of Trustees meeting this week in Vancouver, Canada, NERC outlined a new initiative intended to reduce the administrative burden on Registered Entities associated with the processing of Reliability Standard violations. The procedure, which has yet to be spelled out in detail, would adjust the administrative process based on the risk to bulk power system reliability presented By a given violation.
On June 30, 2011, NERC filed its remaining responses to FERC’s recent questions on the expected scope of bulk-power system facilities considered Critical Assets under the proposed CIP-002-4 Reliability Standard. The proposed standard would, for the first time, create bright-line criteria for identifying the facilities subject to NERC’s CIP-002 through CIP-009 Critical Infrastructure Protection Reliability Standards, moving away from the current criteria that grant a great deal of discretion to individual entities.
On June 15, 2011, NERC filed with FERC for approval of the revised Reliability Standard FAC-008-3 (Facility Ratings), which would replace the currently effective FAC-008-1 and FAC-009-1 Reliability Standards. The central revisions to the Standard include the following:
On June 1, 2011, Morgan Lewis's Energy Practice is hosting an all-day seminar on reliability standards compliance. Discussions will include:
- Emerging NERC compliance issues
- Cyber security compliance issues and preparation for Version 4 standards
- Preparing for NERC Reliability Standards audits
- Impact of Compliance Application Notices on requests for interpretation
- Responding to NERC alerts
- Issues related to NERC event analyses
- Prospects for energy legislation
Earlier today, in Order No. 750, FERC approved an interpretation of IRO-005-1 and TOP-005-1, but decided not to adopt the NOPR proposal to direct NERC to modify the Reliability Standards to mandate reporting whenever a Special Protection System (SPS) loses a redundant communication channel. In deciding against its NOPR proposal, FERC relied on the “expert opinion” of NERC and the industry that no reliability gap exists under the proposed interpretation. As a result, the interpretations will take effect as proposed By NERC.