Earlier today, the Federal Energy Regulatory Commission (FERC) approved the implementation plan for Critical Infrastructure Protection (CIP) Reliability Standards compliance by nuclear generator owners and operators in the United States. As a result, the timeline for achieving compliance with these complex Reliability Standards on cyber-security protections has begun. Compliance with two CIP Reliability Standard Requirements, CIP-002-1 Requirements R1 and R2, must be achieved within 12 months. Compliance with the remaining Requirements is dependent on future developments, but will likely be due within 18 months. Due to the complexity of implementing these measures alongside the separate cyber-security regulations of the Nuclear Regulatory Commission (NRC), achieving auditable compliance by these deadlines is likely to be a lengthy process, specific to the facilities of each licensee.
The CIP Reliability Standards, which were developed by the North American Electric Reliability Corporation (NERC) and approved as mandatory and enforceable by FERC under Section 215 of the Federal Power Act, are intended to provide significant cyber-security protections for cyber equipment determined to be Critical Cyber Assets for bulk-power system reliability. In Order No. 706-B, FERC clarified that a nuclear generating facility is subject to CIP Reliability Standards compliance to the extent that equipment within the facility's "balance of plant" is not subject to the NRC's recently promulgated cyber-security regulations.
Under the approved implementation plan, compliance with the CIP Reliability Standards by nuclear generator owners and operators turns upon as many as three events: (1) the approval of the implementation plan by FERC; (2) the scope of systems determination for the nuclear plants by NERC and the NRC; and (3) any refueling outages that may need to occur to implement compliance measures.
According to NERC, the scope of systems determination will use a plant-specific "Bright-Line Test" to identify which structures, systems, and components within the balance of plant are subject to the NRC's regulations and which are subject to the CIP Reliability Standards. This Bright-Line test will occur following a series of regional workshops that NERC will conduct for nuclear plant owners and operators, along with subsequent surveys that are intended to gather specific information regarding each plant's systems, structures, and components with cyber assets. After the surveys are returned, NERC and the NRC will verify the survey results, potentially conduct site visits, and then make the scope of systems determination for each plant.
With the exception of CIP-002-1 Requirements R1 and R2, compliance with the other CIP Reliability Standard Requirements will generally be due the later of the approval of the implementation plan-March 18, 2010 plus 18 months-or the scope of systems determination plus 10 months. For certain requirements, if a refueling outage is necessary to implement compliance measures, a different timetable may apply.
According to NERC, the scope of systems determination plus 10 months and regulatory approval of the implementation plan plus 18 months should occur at approximately the same time, because NERC plans to finalize the scope of systems determinations in the next eight months. However, because the scope of systems determination process has not yet been implemented, FERC ordered NERC to submit a compliance filing if this process will be delayed.
Because the version 2 and version 3 CIP Reliability Standards have also been approved, FERC ordered NERC to develop an implementation plan for those Reliability Standards and file it for FERC approval. As the changes introduced by these new versions are minor, FERC directed NERC to develop an implementation plan for these versions that follows the same schedule as FERC approved in today's order.
As the result of this order, the deadlines for CIP Reliability Standards compliance by nuclear generator owners and operators have been largely finalized. However, given the complexity of the requirements and the similarities and differences between NERC and NRC cyber-security requirements, reaching full compliance is likely to be a lengthy and complicated process as nuclear licensees adjust to security obligations imposed by a new regulator with its own unique compliance monitoring and enforcement mechanisms.
If you have any questions or would like more information on any of the issues discussed in this LawFlash, please contact any of the following Morgan Lewis attorneys:
Washington, D.C.
Stephen M. Spina
J. Daniel Skees