Under a notice of proposed rulemaking to be released today, December 21, the Federal Energy Regulatory Commission (FERC) is proposing to direct the North American Electric Reliability Corporation (NERC) to revise the Critical Infrastructure Protection (CIP) reliability standards to require electric utilities to report all cyberattacks on the electric security perimeters surrounding their key electric infrastructure as well as the associated electronic access control and monitoring devices that protect those perimeters.
In an admonishing response letter issued December 8, US Secretary of Energy Rick Perry granted the Federal Energy Regulatory Commission’s (FERC) request for a 30-day extension to consider final action on its Proposed Grid Reliability and Resiliency Pricing Rules. The proposed rules, if adopted, could provide economic support to coal and nuclear generation in organized markets.
FERC had emphasized in its request that extra time is needed to provide adequate opportunity for recently sworn-in Chairman Kevin J. McIntyre and Commissioner Richard Glick to consider the voluminous record in the proceeding that includes more than 1,500 comments in response to FERC’s solicitation for public comment on the proposed rules. Mr. Perry granted FERC’s request while noting in his letter that, as explained in his original directive, failure to act expeditiously within a 60-day timeframe would be unjust, unreasonable, and contrary to the public interest. Given the circumstances highlighted by FERC, he agreed to allow FERC to take final action by Wednesday, January 10, 2018. Despite granting the request, Mr. Perry strongly urged FERC to act before the deadline to ensure the “resilience and security of the electric grid.”
Today, the Federal Energy Regulatory Commission (FERC) Office of Enforcement (OE) issued its 2017 Report on Enforcement. The report provides a review of OE’s activities during fiscal year 2017, which begins October 1 and ends September 30 annually, revealing likely areas of focus for FERC enforcement in the coming year.
The report indicates that even though FERC lacked a quorum for much of 2017, OE continued to focus on the same areas of market and operational risk that have traditionally captured its attention, which include (i) fraud and market manipulation; (ii) anticompetitive conduct; (iii) conduct that threatens transparency in regulated markets; and (iv) serious violations of mandatory reliability standards. OE does not anticipate that its priorities will change for fiscal year 2018. FERC also addresses its continued litigation of contested cases in federal courts. Additionally, similar to fiscal year 2016, the report indicates that the vast majority of alleged violations that come to OE’s attention are addressed informally through corrective actions voluntarily implemented by the subject of the investigation, without the need for a formal settlement. But this year, OE provides detailed examples of surveillance inquiries initiated by its Division of Analytics and Surveillance that are closed without referral to the US Department of Justice. Details on the topics in the 2017 Enforcement Report will be further described in a future LawFlash that will be posted as part of Morgan Lewis’s Power & Pipes energy law web postings. These issues will also be discussed in further detail during an upcoming webinar hosted by Morgan Lewis linked below.
The North American Electric Reliability Corporation (NERC) filed a petition on September 26 requesting approval from the Federal Energy Regulatory Commission (FERC or the Commission) for a suite of Reliability Standards that focus on vulnerabilities in vendor products and services and would regulate the utility procurement process.
Read the full LawFlash.
On September 29, Secretary of Energy Rick Perry invoked rarely used statutory authority to direct the Federal Energy Regulatory Commission to initiative a rulemaking to enable generation assets in RTOs and ISOs to receive payments for reliability and resiliency benefits that DOE views as uncompensated under current market rules.
If the proposed rules are adopted, they could provide significant economic support to coal and nuclear generation in organized markets.
On September 12, 2017, FERC and NERC released a joint statement and guidance encouraging ongoing interutility cooperation among all utilities in response to Hurricane Irma, which ravaged areas in Florida and Georgia, neighboring states, Puerto Rico, and US territories in the Caribbean. The statement emphasized that the utility response to Hurricane Irma will likely be among the largest industry restoration efforts in US history. In it, FERC and NERC encourage utilities to lend personnel skilled in vegetation management to those utilities in need as a result of the hurricane.
On June 8, the North American Electric Reliability Corporation (NERC) released its report on the loss of 1,200 MW of solar generation in southern California during a system disturbance that unexpectedly caused inverters at solar generation facilities to trip or momentarily cease to operate. The report provides solar plant owners and engineers with recommendations to prevent future occurrences. According to NERC, inverter disconnect events pose an increasing reliability risk given the expansion of solar generation.
Growing solar penetration has made the response of solar generators to system disturbances more critical. If NERC and utility-scale solar generators adopt the report’s recommendations, the likelihood of both recurrences and government-imposed regulations will be reduced. The Federal Energy Regulatory Commission’s (FERC’s) recent orders requiring renewable generation to promote frequency response (Docket No. RM16-6), reactive power (Order No. 827), and ride-through capability (Order No. 828) indicate a willingness to impose regulatory requirements on renewable generation where FERC sees it as necessary to preserve system reliability. Separate and apart from NERC action and any voluntary industry response, the report may lead FERC to consider such action.
Continue reading the LawFlash.
Putting aside the climate change politics swirling around US President Donald Trump’s recent executive order on “Promoting Energy Independence and Economic Growth,” what does the order mean for the nation’s electric generation portfolio? Can the gradual decline in the role of coal-fired generation be reversed?
The executive order, released on March 28, 2017, calls for increased domestic energy production from coal, natural gas, nuclear material, and other domestic sources, explicitly balancing the need to “promote clean and safe development” of energy resources with “avoiding regulatory burdens that unnecessarily encumber energy production, constrain economic growth, and prevent job creation.” In addition to revoking various Obama-era executive orders on climate change and carbon emissions and rescinding various reports issued by federal agencies on these topics, the executive order also directs the Environmental Protection Agency (EPA) to review the Clean Power Plan in the context of the domestic production policy adopted in the executive order and to, “as soon as practicable, suspend, revise, or rescind” the rule.
Earlier this month, the North American Electric Reliability Corporation (NERC) submitted proposed changes to Reliability Standard CIP-003 to modify the cybersecurity protections required for low-impact BES Cyber Systems. In response to FERC’s directives in Order No. 882, the new CIP-003-7 Standard (i) clarifies electronic access control requirements, (ii) adds requirements related to the protection of transient electronic devices, and (iii) requires utilities to have documented cybersecurity policies related to declaring and responding to CIP Exceptional Circumstances for low-impact BES Cyber Systems. The key changes are as follows:
Electronic Access Control Requirements
Utilities will be required to implement electronic access controls to permit only necessary inbound and outbound access to low-impact BES Cyber Systems for certain communications, whether direct or indirect, using routable protocols. This resolves the dispute regarding the existence of Low-Impact External Routable Connectivity (LERC) from an asset with a low-impact BES Cyber System, and the need to implement a Low-Impact BES Cyber System Electronic Access Point (LEAP) for the control of communications into the asset. Under the proposed standard, the LERC and LEAP concepts are discarded, and instead utilities are required to implement certain electronic access controls for all routable connections into and out of assets with low-impact BES Cyber Systems, regardless of whether those connections are direct or indirect.
Protection of Transient Electronic Devices
Under the proposed standard, utilities are also required to implement plans to protect transient electronic devices (e.g., laptops) with the goal of mitigating the risk of malicious code being introduced to low-impact BES Cyber Systems by, for example, a relay technician testing protection systems in a substation. The requirements differentiate between transient cyber assets managed by a utility and those managed by third parties such as vendors and contractors.
CIP Exceptional Circumstances Policy
NERC is also proposing changes that would require utilities to have policies for declaring and responding to CIP Exceptional Circumstances related to low-impact BES Cyber Systems. A CIP Exceptional Circumstance includes, among other situations, a risk of injury or death; natural disasters; civil unrest; imminent or existing hardware, software, or equipment failures; and cybersecurity incidents requiring emergency assistance. During a CIP Exception Circumstance, certain CIP requirements can be waived.
These revisions are the result of a lengthy stakeholder development process, and ultimately received strong support from the industry in stakeholder voting. The revisions also close the gaps in the CIP-003 Reliability Standard identified by FERC. As a result, the revised standard is likely to be approved by FERC. However, to the extent utilities have concerns over the substance or clarity of the proposed language, the upcoming notice and comment process at FERC will provide the last good opportunity to receive binding guidance from the Commission or challenge the language in the new standard.
The North American Electric Reliability Corporation (NERC) recently submitted two proposed Reliability Standards to improve the real-time data exchange capabilities of Reliability Coordinators, Transmission Operators, and Balancing Authorities. The modified Reliability Standards (IRO-002-5 and TOP-001-4) add new obligations requiring Reliability Coordinators, Transmission Operators, and Balancing Authorities to have real-time data exchange capabilities with redundant and diversely routed data exchange infrastructure within their primary control centers. These entities would also be required to test their redundant functionality at least every 90 days.