FERC, CFTC, and State Energy Law Developments

The Federal Energy Regulatory Commission (FERC or the Commission) Office of Enforcement (OE) issued its 2018 Report on Enforcement on November 15. The report provides a review of OE’s activities during fiscal year 2018 (FY 2018), which begins October 1 and ends September 30 annually. Like last year, the report reveals likely areas of focus for FERC enforcement in the coming year, and provides guidance to the industry based on the wide variety of enforcement matters that are otherwise non-public by synthesizing some of the more disparate developments from audits, market surveillance, and other enforcement activities for the benefit of industry stakeholders.

On October 18, the Federal Energy Regulatory Commission (FERC or Commission) issued Order No. 850, adopting a suite of reliability standards proposed by the North American Electric Reliability Corporation (NERC) to address the cybersecurity risks posed by supply chains for industrial control system assets and services in critical electric utility environments. The final rule largely adopts the proposals from the Commission’s Notice of Proposed Rulemaking (NOPR). But the Commission also directs NERC to expand the scope of the new requirements to include Electronic Access or Control Monitoring Systems (EACMS) and to evaluate the need to further expand the scope of the requirements to include Physical Access Control Systems (PACS) and Protected Cyber Assets (PCAs).

Despite fears that the Commission would shorten the implementation period for the new requirements, the Commission adopted the 18-month implementation period that was originally proposed by NERC.

American national security officials believe that spies working on behalf of an adversarial nation-state successfully carried out an attack against US companies by compromising a key hardware supply chain, according to a report issued October 4 by Bloomberg Businessweek. The report details how the attackers implemented a “seeding” attack by installing tiny, malicious microchips on motherboards—a type of computer circuit board that houses processing and other essential components—that were assembled in Chinese factories. The exploit apparently had a ripple effect, as the compromised motherboards were ultimately installed in commercial servers that are widely distributed in the United States. One official estimates that the attack affected almost 30 companies, including a major bank and government contractors, and may have enabled the attackers to communicate with or infiltrate the sabotaged servers.

The North American Electric Reliability Corporation (NERC) on September 18 requested Federal Energy Regulatory Commission (FERC) approval of a new Critical Infrastructure Protection (CIP) Reliability Standard, CIP-012-1. The proposed standard would require electric utilities with defined “Control Centers” to implement controls that protect sensitive data communicated between any applicable control centers. Driving the standard is a concern that these control centers can only perform their real-time reliability functions if they can receive and transmit sensitive operational data in a secure manner.

The Federal Energy Regulatory Commission (FERC or the Commission) issued Order No. 848 on July 19, directing the North American Electric Reliability Corporation (NERC) to augment the cyber incident reporting requirements under the Critical Infrastructure Protection (CIP) reliability standards. The directive adopts the proposals from the December 2017 Notice of Proposed Rulemaking (NOPR) and reflects the Commission’s view that FERC and NERC need to significantly improve their awareness of the breadth and frequency of the cybersecurity risks that electric utilities encounter.

Read the full Lawflash.

Officials at the US Department of Homeland Security (DHS) confirmed yesterday to The Wall Street Journal that state-sponsored hackers successfully gained remote access to the control rooms of US electric utilities and likely had the ability to disrupt power flows. The report describes the activities as part of a long-running campaign targeting US utilities and suggests that the attacks are still ongoing. This is not the first time that a federal government agency has publicly confirmed the actual or potential threat posed by hackers to critical infrastructure (see our previous post on state-sponsored attacks). Instead, it marks yet another confirmed instance of hackers gaining access to the secure networks used by industrial control systems in what has become a disconcerting trend in recent years, and continues to underline the importance of strong vendor and supply chain cybersecurity controls.

On July 19, the Federal Energy Regulatory Commission (FERC) approved most of the revisions proposed by a North American Electric Reliability Corporation (NERC) petition to revise NERC’s rules of procedure (ROP) on operator certification, but rejected certain key changes. FERC concluded that NERC’s proposal to remove those provisions would strip substantive rules from the ROP and move them to NERC manuals, thus defeating the efficacy of FERC review because the ROP is subject to FERC review and approval but NERC manuals are not.

The Commissioners of the Federal Energy Regulatory Commission (FERC or the Commission) testified on June 12 at an oversight hearing before the Senate Committee on Energy and Natural Resources. They addressed FERC-jurisdictional issues, including grid modernization, resiliency, security, and enforcement, and President Donald Trump’s recent directive to US Department of Energy (DOE) Secretary Rick Perry to prepare immediate steps to stop the loss and retirement of nuclear and coal generation facilities. The Commissioners’ testimony provides an insight into the issues that FERC may prioritize in the near future.

The Nuclear Regulatory Commission (NRC) and the Federal Energy Regulatory Commission (FERC) entered into a Memorandum of Understanding (MOU) on June 6 regarding the care and protection of critical energy/electric infrastructure information (CEII). The MOU delineates how the two agencies will cooperate to identify, process, and protect CEII that the NRC holds, explaining that the two independent agencies “mutually agree that it is important to protect CEII to ensure the safety and security of the electric grid.” Under the MOU, the NRC will be able to consult with FERC to designate certain NRC-held information as CEII—and therefore FOIA-exempt—if requested by a third-party under that open records law.

The MOU is another step in the US government’s attempt to address growing concerns about physical and cybersecurity threats to the electricity grid. Congress, recognizing these threats, directed the US Department of Energy and FERC to identify and protect CEII when it passed the “Fixing America’s Surface Transportation Act” (FAST Act) in 2015. FERC issued its CEII regulations in late 2016.

The commissioners from the Federal Energy Regulatory Commission (FERC) and the Nuclear Regulatory Commission (NRC) held a joint meeting on June 7 to discuss grid reliability and cybersecurity. FERC and NRC staff provided presentations on the recent and ongoing activities of both agencies to promote a stable, resilient, and secure grid. The presentations were largely a summary of recent agency activities and served to continue the practice of both independent regulatory agencies meeting to discuss items of common interest.