FERC, CFTC, and State Energy Law Developments

At its open meeting on November 21, FERC announced organizational changes to enhance the agency’s focus on cybersecurity threats and challenges to electric infrastructure. Commission staff unveiled five “focus areas” related to grid cybersecurity and announced organizational changes within the Office of Energy Projects (OEP) and Office of Electric Reliability (OER) designed to better position Commission resources to address cybersecurity concerns.

New Strategic Focus Areas

Commission staff developed the following five focus areas based on their review of threat reports (public and nonpublic), global cybersecurity events, North American Electric Reliability Corporation (NERC) CIP standards, and OEP’s specialized security program for hydropower projects.

  1. Supply Chain/Insider Threat/Third-Party Authorized Access

    This is not the first time the Commission has made supply chain and third-party (or vendor) management security a priority. In 2016, the Commission directed NERC to develop mandatory supply chain risk management controls, which have since been approved and are set to take effect next year.

In an effort to address anticipated electricity shortages and reliability challenges in California, the California Public Utilities Commission (CPUC) voted on November 7 to authorize the procurement of 3,300 MW of energy by 2023. The CPUC also intends to seek extensions of certain compliance deadlines from the State Water Resources Control Board for almost 4,800 MW of gas generation units due to retire soon because they use ocean water for so-called “once-through cooling,” which can have a detrimental impact on marine life.

For more details on the CPUC’s actions, read the full LawFlash.

FERC Staff issued an October 4 report on Commission-led critical infrastructure protection (CIP) reliability audits completed during fiscal year 2019. The report provides lessons learned and identifies voluntary practices that FERC Staff observed during those audits that could improve the protection of electric infrastructure from cyberattacks.

Facing what it deems an “unprecedented number of FOIA requests” for nonpublic information related to utility violations of the North American Electric Reliability Corporation (NERC) critical infrastructure protection (CIP) requirements governing cybersecurity compliance for critical electric infrastructure, FERC Staff has issued a white paper proposing to make publicly available additional information regarding those violations, including the names of the utilities involved. If adopted, this proposal could increase the risk of a serious and successful attack on the nation’s electric infrastructure with no benefit other than a “name and shame” approach to CIP enforcement.

For the first time, FERC has found that significant investments in an existing licensed hydroelectric facility by a licensee will be considered when establishing the license term in a relicensing proceeding, potentially aiding the licensee in obtaining a longer license term.

Section 15(e) of the Federal Power Act (FPA) provides that any license issued shall be for a term that FERC determines to be in the public interest, but no less than 30 years or more than 50 years. Under its 2017 Policy Statement on Establishing License Terms for Hydroelectric Projects, FERC established a 40-year default license term policy for original and new licenses. The Policy Statement included exceptions to the 40-year license term under certain circumstances, including establishing a longer license term upon a showing by the license applicant that substantial voluntary measures were either previously implemented during the prior license term, or substantial new measures are expected to be implemented under the new license.

FERC recently approved proposed Reliability Standard CIP-008-6, which expands the mandatory reporting requirements for Cyber Security Incidents that attempt to compromise the operation of the bulk power system. Under the new standard, electric utilities will need to implement more comprehensive internal controls for identifying, reviewing, and reporting cyber incidents and attempted cyber intrusions than are currently required. The new standard goes into effect on January 1, 2021.

As we reported, NERC developed the revised standard in response to the Commission’s directive to broaden the scope of mandatory reporting of Cyber Security Incidents. In particular, the Commission was concerned with the risk posed by malicious intrusion attempts that might facilitate subsequent efforts to harm the reliable operation of the bulk power system.

Consolidated Edison Company of New York, Inc. (Con Edison) and Orange and Rockland Utilities, Inc. (O&R) issued a draft joint Request for Proposals (RFP) on May 31 to competitively procure scheduling and dispatch rights from new energy storage projects. Through this initial solicitation, Con Edison and O&R are targeting at least 300 megawatts (MW) and 10 MW, respectively, of new energy storage facilities to meet the in-service deadline of December 31, 2022, set by the New York Public Service Commission (NYPSC) in its December 2018 Order (Storage Order) establishing New York’s three gigawatt (GW) energy storage deployment goal.

Both utilities will accept bids only for new storage projects sized over five MW and connected to the transmission or distribution system that can directly participate in New York Independent System Operator (NYISO) markets and provide distribution benefits, if applicable. These front-of-meter systems must be able to discharge for at least four hours 100 to 350 times per year, have at least 85% roundtrip efficiency, and maintain 98% availability for dispatch each contract year.

The supply chain risks facing electric utilities have long been a concern for industry stakeholders and regulators alike. Reflecting those concerns, NERC submitted a report on May 28 to FERC recommending the expansion of requirements addressing supply chain cybersecurity risks for electric utilities, concluding that the scope of those requirements needed to expand to match the scope of the cybersecurity risk. The development of such revised standards will itself be a lengthy process and subject to additional FERC review.

FERC Staff issued a report on March 29 on Commission-led critical infrastructure protection (CIP) reliability audits completed for fiscal years 2016 through 2018. The report provides lessons learned from those audits, as well as voluntary recommendations on cybersecurity practices to enhance the protection of electric infrastructure from cyberattacks. Even though many of these recommendations go beyond what is necessary for compliance with the mandatory CIP reliability standards, FERC is likely to view implementation of these recommendations as evidence of a strong cybersecurity culture that proactively addresses best cybersecurity practices and evolving threats. That can, in turn, have positive ramifications for utilities undergoing cybersecurity reviews by FERC, NERC, or the Regional Entities.