In proposing to approve NERC’s new Physical Security Reliability Standard, FERC also seeks the ability to identify facilities that must be protected.
On July 17, the Federal Energy Regulatory Commission (FERC) proposed to approve a new mandatory reliability standard that would require electric utilities to protect their transmission facilities and control centers against physical threats. Although FERC did not take issue with most of the language in the CIP-014-1 standard proposed by the North American Electric Reliability Corporation (NERC), FERC did express concern over the ability of utilities to identify their own critical facilities, even when that determination is subject to third-party review. To address that concern, FERC proposed to direct NERC to modify the standard so that FERC, or other appropriate federal agencies, could direct electric utilities to add additional facilities to their list of facilities that need physical security protections.
As proposed by NERC, CIP-014-1 has six core requirements:
FERC proposed to approve the standard, along with its associated implementation plan and effective date, but also proposed to direct NERC to modify the standard to address what FERC sees as a limitation on its ability to add to the list of critical facilities requiring physical protections. Although FERC noted that it does not foresee using such authority often, it does need the option to do so. FERC explained that the ability to bring an enforcement action against a utility for an insufficient risk assessment does not ensure timely corrections to protect against security threats. This is similar to FERC’s long-standing concern in the cybersecurity context that permitting utilities to identify the facilities and assets that they consider critical could lead to under-identification, and therefore lack of protection, for assets essential to system reliability.
FERC also requested comment on a number of other topics, including the following:
Comments on FERC’s proposal are due 45 days after publication in the Federal Register. Reply comments will be due 15 days later.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers: