FERC, CFTC, and State Energy Law Developments

On January 11, the Nuclear Regulatory Commission (NRC) and the North American Electric Reliability Corporation (NERC) published a Memorandum of Understanding (MOU) regarding the enforcement of NRC cyber security regulations and NERC Critical Infrastructure Protection (CIP) Reliability Standards at commercial nuclear power plants. This MOU provides further detail on what the NRC and NERC view as their separate responsibilities regarding cyber security at nuclear power plants, and explains how they will coordinate execution of these responsibilities going forward.  Read more…

Earlier today, the Federal Energy Regulatory Commission (FERC) approved a stipulation and consent agreement with Florida Power and Light Company (FPL) that included a $25 million penalty to be paid By FPL to resolve potential violations of mandatory Reliability Standards related to the February 26, 2008 Florida Blackout. That event resulted in the loss of 3,650 MW of customer load, and left some noninterruptible customers without power for more than two hours.

The agreement, which contains one of the largest civil penalties ever approved By FERC, is also the first settlement resulting from a reliability investigation headed By FERC enforcement staff, and follows FERC’s public announcement that it—rather than the North American Electric Reliability Corporation (NERC) or the Florida Reliability Coordinating Council, the two entities usually responsible for the enforcement of Reliability Standards in Florida—would investigate the blackout.

Read more…

Last week, the North American Electric Reliability Corporation (NERC) released a revised draft of the proposed procedures that Responsible Entities would use to request a Technical Feasibility Exception (TFE) for Critical Infrastructure Protection (CIP) Reliability Standards. The revised procedures make several significant revisions to the draft TFE procedures released for comment this spring.

Under the revised TFE procedures, the responsibility for reviewing and approving TFE requests has been shifted back to the Regional Entities. Any Responsible Entity seeking a TFE must submit an electronic form to the appropriate Regional Entity containing the basic information regarding the TFE, including the relevant CIP Reliability Standard Requirement eligible for a TFE, the basis and justification for the request, the proposed mitigating measures, and the schedule for achieving Strict Compliance. The templates on which Responsible Entities will submit this information should be available from the Regional Entities beginning on September 17, 2009.  Read more…

The North American Electric Reliability Corporation (NERC) has issued for comment a draft timeline for the implementation of mandatory Critical Infrastructure Protection (CIP) Reliability Standards at nuclear power plants. Previously, in Order No. 706-B, the Federal Energy Regulatory Commission (FERC) clarified that balance of plant systems, structures, and components (SSCs) within a nuclear power plant are subject to the eight CIP Reliability Standards approved By FERC in Order No. 706. NERC is now seeking stakeholder input regarding the appropriate schedule for bringing nuclear power plants into compliance with the CIP Reliability Standards.

Read more…

By Stephen M. Spina, Lawrence J. Chandler, Jonathan M. Rund, and J. Daniel Skees

On July 1, the North American Electric Reliability Corporation issued draft security guidelines providing guidance to entities that are required to identify Critical Cyber Assets under NERC Standard CIP-002 R3. Under that standard, certain entities must develop a list of Critical Cyber Assets that are essential to the operation of the entities’ Critical Assets.

As stated in the draft guidelines, CIP-002 R3 is applicable to Responsible Entities, which include reliability coordinators, balancing authorities, interchange authorities, transmission service providers, transmission and generator owners and operators, load serving entities, regional entities, and nuclear facilities that have non-safety Critical Assets not subject to the Nuclear Regulatory Commission’s cyber security regulations.  Read more…

On July 1, the North American Electric Reliability Corporation issued draft security guidelines providing guidance to entities that are required to identify Critical Cyber Assets under NERC Standard CIP-002 R3. Under that standard, certain entities must develop a list of Critical Cyber Assets that are essential to the operation of the entities’ Critical Assets.

As stated in the draft guidelines, CIP-002 R3 is applicable to Responsible Entities, which include reliability coordinators, balancing authorities, interchange authorities, transmission service providers, transmission and generator owners and operators, load serving entities, regional entities, and nuclear facilities that have non-safety Critical Assets not subject to the Nuclear Regulatory Commission’s cyber security regulations.  Read more…

On June 24, 2009, the Federal Energy Regulatory Commission (Commission) upheld central aspects of its prior decisions on Violation Severity Levels (VSLs) proposed By the North American Electric Reliability Corporation (NERC). In acting to approve two compliance filings from NERC addressing VSL issues, the Commission turned back challenges to its current policy regarding the development of VSLs, including the treatment of VSLs for subrequirements that are merely conditions for meeting the actual core requirement and the double-jeopardy concerns presented By employing separate VSLs for the requirements and subrequirements of a Reliability Standard.

The first compliance filing addressed in the order dealt with the “binary” requirements and subrequirements found in the original 83 Reliability Standards approved By the Commission. Unlike most requirements, which have VSLs addressing increasing degrees of noncompliance, binary requirements are those requirements where an entity is either fully compliant or completely out of compliance. NERC’s compliance filing revised the VSLs for these binary requirements and subrequirements so that all violations of these binary requirements would be assessed as “severe.” In the second compliance filing addressed in the order, NERC submitted modified VSLs for those VSLs to which the Commission had previously granted rehearing. The Commission approved both of these compliance filings.  Read more…

Yesterday, Senate Homeland Security and Governmental Affairs Committee Chairman Joseph Lieberman (I-CT) and House Homeland Security Committee Chairman Bennie Thompson (D-MS) introduced a bill that would dramatically increase the authority of the Federal Energy Regulatory Commission (FERC) to respond to cyber threats to the nation’s power grid. Under the proposed bill, the Critical Infrastructure Protection Act (H.R. 2195 and S. 946), FERC would have the authority to immediately respond to cyber threats identified By the Department of Homeland Security (DHS). In introducing the bill, Senator Lieberman stated: “We rely on cyberspace for so much of what is at the heart of our way of life. And our systems are not protected. We are focusing on the electricity cyber structure today because electricity is what so many critical sectors of the economy depend on.”

The proposal is a direct response to recent events and threats, including news reports noting that the U.S. electrical system has been “routinely penetrated and compromised” By foreign actors, and the ongoing industry efforts to connect grid control systems to open networks. In addition, the bill notes that industry compliance with the existing Critical Infrastructure Protection (CIP) Reliability Standards has been problematic, as revealed By the recent North American Electric Reliability Corporation (NERC) report indicating that only 23% of utilities reported having Critical Cyber Assets. The bill suggests that this indicates that “many utilities are underreporting their assets, potentially to avoid compliance requirements.”  Read more…