On April 18, the Federal Energy Regulatory Commission (FERC) issued a Notice of Proposed Rulemaking (NOPR) that would approve version 5 of the North American Electric Reliability Corporation's (NERC's) Critical Infrastructure Protection (CIP) Reliability Standards. The proposed rule aims to expand the scope of bulk electric system (BES) cyber systems protected By the CIP Reliability Standards. The proposal also includes 12 requirements with new cybersecurity controls as well as proposed modifications and clarifications to the CIP Reliability Standards. If approved, the revised CIP Reliability Standards will address a wider variety of utility computer systems and equipment, with the strictest protections applied to the most critical equipment.
In a Notice of Proposed Rulemaking issued on October 18, 2012, FERC proposed to direct NERC to develop reliability standards addressing the risk posed By geomagnetic disturbances (GMDs). As a first stage, FERC proposed to direct NERC to develop a standard within 90 days of the final rule mandating that bulk-power system owners and operators develop operating procedures to mitigate the effects that GMDs have on reliability.
At FERC’s open meeting on April 19, 2012, FERC approved several orders addressing core aspects of Reliability Standards compliance, including cybersecurity Reliability Standards, compliance registration, and contingency planning issues. The newly approved cybsersecurity Reliability Standards significantly increase the scope of facilities subject to those requirements, the compliance registration decisions clarify the jurisdictional boundary between distribution and transmission facilities, and the planning orders represent a rejection of NERC’s approach to planning for firm load loss following a single contingency.
In a move intended to improve the efficiency of the Reliability Standard violation enforcement process, the Federal Energy Regulatory Commission (FERC or the Commission) yesterday approved the North American Electric Reliability Corporation's (NERC's) "Find, Fix & Track" (FFT) enforcement proposal. The FFT process should provide NERC and the Regional Entities with increased flexibility to address low-risk Reliability Standard violations, avoiding the need for a lengthy settlement process for minor violations that pose little risk to bulk-power system reliability. While NERC will continue to report all violations, this change will eliminate—for those low-risk violations selected for FFT treatment—the extensive mitigation and settlement paperwork that historically accompanied minor violations. Despite this increased flexibility for NERC and the Regional Entities, the Commission promised strict oversight of this process.
On February 14, a bipartisan group of senators introduced to the U.S. Senate the Cybersecurity Act of 2012, under which the Department of Homeland Security (DHS) would assess the risks and vulnerabilities of critical infrastructure systems and develop security performance requirements for the systems and assets designated as covered critical infrastructure. The bill is sponsored By Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman (I-CT), committee ranking member Susan Collins (R-ME), Commerce Committee Chairman Jay Rockefeller (D-WV), and Select Intelligence Committee Chairman Dianne Feinstein (D-CA). As explained in the statement announcing the measure, "[t]he bill envisions a public-private partnership to secure those systems, which, if commandeered or destroyed By a cyber attack, could cause mass deaths, evacuations, disruptions to life-sustaining services, or catastrophic damage to the economy or national security."
Please join us for an all-day conference addressing strategies and trends in cyber risk and cybersecurity for the nation's energy infrastructure.
The Obama administration, Congress, and federal regulators continue to increase their focus on cyber risks to U.S. energy infrastructure. At the same time, businesses themselves have sought to increase the resistance of the energy sector to cyber attacks through voluntary public-private partnerships and similar nonregulatory efforts.
On October 13, the U.S. Securities and Exchange Commission (SEC) issued disclosure guidance related to cybersecurity risks and costs that may have far-reaching impacts on electric utilities. For those electric utilities already subject to the North American Electric Reliability Corporation (NERC) cybersecurity requirements, this guidance suggests the need for increased scrutiny of compliance costs and harms resulting from cyber incidents and potential cyber incidents to evaluate appropriate disclosure. With the pending increase in the number of assets covered By the Version 4 Critical Infrastructure Protection (CIP) Reliability Standards, which the Federal Energy Regulatory Commission (FERC) recently proposed to approve, the costs of compliance are likely to significantly increase across the electric utilities industry, affecting a wide variety of SEC registrants subject to FERC's reliability jurisdiction.
On August 29, the Commission approved a $350,000 settlement between the Grand River Dam Authority, NERC, and FERC to settle allegations of Reliability Standard violations By the Grand River Dam Authority, an Oklahoma state agency. NERC and the Commission ultimately concluded that the Grand River Dam Authority violated 52 Requirements in 19 Reliability Standards. This appears to be the first settlement of a reliability investigation By the Commission that was not explicitly tied to a bulk-power system incident.
On August 16, FERC and NERC issued a joint report on the outages and curtailments that occurred in the southwest during the extraordinary cold snap in early February 2011.
The report summarizes the events that occurred in early February, describing the scope of the generator outages that occurred and the natural gas production that declined due to the extreme cold weather. As noted in the report, the cold weather led to the unavailability of approximately one-third of Electric Reliability Council of Texas (ERCOT) generation at one point during the event, and spot prices in the ERCOT market hit $3,000 per MWh. In addition, the loss of natural gas production resulted in the curtailment of 50,000 customers in the southwest.
At the NERC Board of Trustees meeting this week in Vancouver, Canada, NERC outlined a new initiative intended to reduce the administrative burden on Registered Entities associated with the processing of Reliability Standard violations. The procedure, which has yet to be spelled out in detail, would adjust the administrative process based on the risk to bulk power system reliability presented By a given violation.