FERC, CFTC, and State Energy Law Developments

The Federal Energy Regulatory Commission (FERC or the Commission) issued Order No. 848 on July 19, directing the North American Electric Reliability Corporation (NERC) to augment the cyber incident reporting requirements under the Critical Infrastructure Protection (CIP) reliability standards. The directive adopts the proposals from the December 2017 Notice of Proposed Rulemaking (NOPR) and reflects the Commission’s view that FERC and NERC need to significantly improve their awareness of the breadth and frequency of the cybersecurity risks that electric utilities encounter.

Read the full Lawflash.

Officials at the US Department of Homeland Security (DHS) confirmed yesterday to The Wall Street Journal that state-sponsored hackers successfully gained remote access to the control rooms of US electric utilities and likely had the ability to disrupt power flows. The report describes the activities as part of a long-running campaign targeting US utilities and suggests that the attacks are still ongoing. This is not the first time that a federal government agency has publicly confirmed the actual or potential threat posed by hackers to critical infrastructure (see our previous post on state-sponsored attacks). Instead, it marks yet another confirmed instance of hackers gaining access to the secure networks used by industrial control systems in what has become a disconcerting trend in recent years, and continues to underline the importance of strong vendor and supply chain cybersecurity controls.

On July 19, the Federal Energy Regulatory Commission (FERC) approved most of the revisions proposed by a North American Electric Reliability Corporation (NERC) petition to revise NERC’s rules of procedure (ROP) on operator certification, but rejected certain key changes. FERC concluded that NERC’s proposal to remove those provisions would strip substantive rules from the ROP and move them to NERC manuals, thus defeating the efficacy of FERC review because the ROP is subject to FERC review and approval but NERC manuals are not.

The Commissioners of the Federal Energy Regulatory Commission (FERC or the Commission) testified on June 12 at an oversight hearing before the Senate Committee on Energy and Natural Resources. They addressed FERC-jurisdictional issues, including grid modernization, resiliency, security, and enforcement, and President Donald Trump’s recent directive to US Department of Energy (DOE) Secretary Rick Perry to prepare immediate steps to stop the loss and retirement of nuclear and coal generation facilities. The Commissioners’ testimony provides an insight into the issues that FERC may prioritize in the near future.

The Nuclear Regulatory Commission (NRC) and the Federal Energy Regulatory Commission (FERC) entered into a Memorandum of Understanding (MOU) on June 6 regarding the care and protection of critical energy/electric infrastructure information (CEII). The MOU delineates how the two agencies will cooperate to identify, process, and protect CEII that the NRC holds, explaining that the two independent agencies “mutually agree that it is important to protect CEII to ensure the safety and security of the electric grid.” Under the MOU, the NRC will be able to consult with FERC to designate certain NRC-held information as CEII—and therefore FOIA-exempt—if requested by a third-party under that open records law.

The MOU is another step in the US government’s attempt to address growing concerns about physical and cybersecurity threats to the electricity grid. Congress, recognizing these threats, directed the US Department of Energy and FERC to identify and protect CEII when it passed the “Fixing America’s Surface Transportation Act” (FAST Act) in 2015. FERC issued its CEII regulations in late 2016.

The commissioners from the Federal Energy Regulatory Commission (FERC) and the Nuclear Regulatory Commission (NRC) held a joint meeting on June 7 to discuss grid reliability and cybersecurity. FERC and NRC staff provided presentations on the recent and ongoing activities of both agencies to promote a stable, resilient, and secure grid. The presentations were largely a summary of recent agency activities and served to continue the practice of both independent regulatory agencies meeting to discuss items of common interest.

The White House announced late last week that President Donald Trump has directed Energy Secretary Rick Perry to “prepare immediate steps to stop the loss” of “fuel-secure power facilities,” noting that near-term retirements of these facilities could lead to “a rapid depletion of a critical part of our nation’s energy mix, and impact the resilience of our power grid.” Although the federal government has not yet disclosed what those steps might be or which generators are at issue, press reports from CNN and Bloomberg, among others, have emerged suggesting that the US Department of Energy (DOE) is considering a directive that would require Independent System Operators and Regional Transmission Operators (ISOs/RTOs) to purchase energy from designated “fuel-secure” plants for a period of up to, and possibly more than, 24 months to avoid any near-term decommissioning.

On the heels of the news reports describing cyberattacks on the energy sector that have continued to accumulate over the last few years, the US Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) issued a technical alert on March 15 describing ongoing attacks on critical infrastructure by hackers associated with the Russian government. The alert described the cyberattacks as part of a “multi-stage intrusion campaign by Russian government cyber actors” that targeted the energy sector networks, as well as computer systems used by entities in the nuclear, water, aviation, and critical manufacturing sectors. The alert is the latest in a string of reported cyberattacks on industrial control systems (ICS) in recent years, and can only serve to ratchet up the regulatory pressure on these industries to demonstrate their resilience in the face of these well-organized attacks.

The North American Electric Reliability Corporation (NERC) filed a Notice of Penalty summarizing an agreement by an unidentified electric utility to pay a $2.7 million penalty in connection with self-reported violations of the Critical Infrastructure Protection reliability standards related to sensitive data exposure by a vendor. Although the utility did not directly cause the improper data handling—and indeed the violation resulted from vendor noncompliance with utility policies—the Western Electricity Coordinating Council nevertheless concluded that the utility failed to adequately implement its information protection program by not preventing or immediately detecting the vendor’s actions and submitted the settlement to NERC. 

For more detail, read our LawFlash.

In response to concerns that the ability of the electric system to provide frequency response following a system disturbance is falling across the United States, the Federal Energy Regulatory Commission (FERC) changed its generation interconnection requirements on February 15. Frequency response is, generally speaking, the ability of the system to quickly return to 60 Hz frequency following a system event such as the sudden loss of a generator. If frequency is not immediately corrected, over- or under-frequency events can occur, which would lead to more and more facilities tripping out of service. The ability of the bulk electric system to provide frequency response is therefore critical in order to avoid cascading outages.

Under the revisions to the pro forma Large Generator Interconnection Agreement (LGIA) and the Small Generator Interconnection Agreement (SGIA), nonsynchronous generators (typically renewable generation) will for the first time be required to have equipment that enables the generator to provide frequency response. Previously, only synchronous generators were required to have that capability because of concerns that nonsynchronous generators were not technically capable of providing that service. FERC found that with recent technological developments there is no longer a reason to treat synchronous and nonsynchronous generation differently on this issue.

The new requirements will apply only to new interconnection agreements, including those driven by changes at an existing generator that necessitate a new interconnection agreement.