At today’s open meeting, the Federal Energy Regulatory Commission (FERC) proposed to approve new Critical Infrastructure Protection (CIP) Reliability Standards developed by the North American Electric Reliability Corporation (NERC) to protect the cybersecurity of the supply chains for critical utility systems. While recognizing the benefits of using a global supply chain to produce the assets used to operate the bulk electric system, FERC staff’s accompanying presentation recognized that relying on a global supply chain “also enables opportunities for adversaries to directly or indirectly affect the management or operations of generation and transmission companies in a manner that may result in risks to end users, such as through the insertion of counterfeits, unauthorized production, tampering, theft, or insertion of malicious software.”
Under a notice of proposed rulemaking to be released today, December 21, the Federal Energy Regulatory Commission (FERC) is proposing to direct the North American Electric Reliability Corporation (NERC) to revise the Critical Infrastructure Protection (CIP) reliability standards to require electric utilities to report all cyberattacks on the electric security perimeters surrounding their key electric infrastructure as well as the associated electronic access control and monitoring devices that protect those perimeters.
As evidence that cyberattacks continue to threaten electric infrastructure in the United States, a report issued on December 14 by cybersecurity firm FireEye indicates that critical infrastructure industrial control systems (ICS) could be susceptible to a new type of malware. FireEye reported that the malware—dubbed “TRITON”—triggered the emergency shutdown capability of an industrial process within a critical infrastructure ICS. This is not the first time that hackers have successfully targeted ICS. In 2013, hackers believed to be operating on behalf of a state-actor managed to take partial control of the Bowman Avenue Dam near Rye Brook, New York. More recently, reports emerged this past summer that hackers gained access to the operational grid controls of US-based energy firms. Because of the destructive potential of these types of breaches, critical electric and other utility infrastructure will remain highly prized targets for future cyberattacks.
As the pace of reported cyberattacks on ICS continues to pick up, scrutiny of electric utilities’ compliance with the Critical Infrastructure Protection (CIP) reliability standards by the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC) is likely to increase. It is highly likely that electric utilities will receive data requests or informal outreach from FERC or NERC in the near future to determine whether those utilities have similar equipment that could be exploited, and if so, what steps they have taken to mitigate the threat. Even in the absence of such requests, these events provide a good opportunity for electric utilities to test the sufficiency of their CIP compliance programs in identifying and remediating such threats.
The North American Electric Reliability Corporation (NERC) filed a petition on September 26 requesting approval from the Federal Energy Regulatory Commission (FERC or the Commission) for a suite of Reliability Standards that focus on vulnerabilities in vendor products and services and would regulate the utility procurement process.
Read the full LawFlash.
On September 29, Secretary of Energy Rick Perry invoked rarely used statutory authority to direct the Federal Energy Regulatory Commission to initiative a rulemaking to enable generation assets in RTOs and ISOs to receive payments for reliability and resiliency benefits that DOE views as uncompensated under current market rules.
If the proposed rules are adopted, they could provide significant economic support to coal and nuclear generation in organized markets.
On September 12, 2017, FERC and NERC released a joint statement and guidance encouraging ongoing interutility cooperation among all utilities in response to Hurricane Irma, which ravaged areas in Florida and Georgia, neighboring states, Puerto Rico, and US territories in the Caribbean. The statement emphasized that the utility response to Hurricane Irma will likely be among the largest industry restoration efforts in US history. In it, FERC and NERC encourage utilities to lend personnel skilled in vegetation management to those utilities in need as a result of the hurricane.
On June 8, the North American Electric Reliability Corporation (NERC) released its report on the loss of 1,200 MW of solar generation in southern California during a system disturbance that unexpectedly caused inverters at solar generation facilities to trip or momentarily cease to operate. The report provides solar plant owners and engineers with recommendations to prevent future occurrences. According to NERC, inverter disconnect events pose an increasing reliability risk given the expansion of solar generation.
Growing solar penetration has made the response of solar generators to system disturbances more critical. If NERC and utility-scale solar generators adopt the report’s recommendations, the likelihood of both recurrences and government-imposed regulations will be reduced. The Federal Energy Regulatory Commission’s (FERC’s) recent orders requiring renewable generation to promote frequency response (Docket No. RM16-6), reactive power (Order No. 827), and ride-through capability (Order No. 828) indicate a willingness to impose regulatory requirements on renewable generation where FERC sees it as necessary to preserve system reliability. Separate and apart from NERC action and any voluntary industry response, the report may lead FERC to consider such action.
Continue reading the LawFlash.
Earlier this month, the North American Electric Reliability Corporation (NERC) submitted proposed changes to Reliability Standard CIP-003 to modify the cybersecurity protections required for low-impact BES Cyber Systems. In response to FERC’s directives in Order No. 882, the new CIP-003-7 Standard (i) clarifies electronic access control requirements, (ii) adds requirements related to the protection of transient electronic devices, and (iii) requires utilities to have documented cybersecurity policies related to declaring and responding to CIP Exceptional Circumstances for low-impact BES Cyber Systems. The key changes are as follows:
Electronic Access Control Requirements
Utilities will be required to implement electronic access controls to permit only necessary inbound and outbound access to low-impact BES Cyber Systems for certain communications, whether direct or indirect, using routable protocols. This resolves the dispute regarding the existence of Low-Impact External Routable Connectivity (LERC) from an asset with a low-impact BES Cyber System, and the need to implement a Low-Impact BES Cyber System Electronic Access Point (LEAP) for the control of communications into the asset. Under the proposed standard, the LERC and LEAP concepts are discarded, and instead utilities are required to implement certain electronic access controls for all routable connections into and out of assets with low-impact BES Cyber Systems, regardless of whether those connections are direct or indirect.
Protection of Transient Electronic Devices
Under the proposed standard, utilities are also required to implement plans to protect transient electronic devices (e.g., laptops) with the goal of mitigating the risk of malicious code being introduced to low-impact BES Cyber Systems by, for example, a relay technician testing protection systems in a substation. The requirements differentiate between transient cyber assets managed by a utility and those managed by third parties such as vendors and contractors.
CIP Exceptional Circumstances Policy
NERC is also proposing changes that would require utilities to have policies for declaring and responding to CIP Exceptional Circumstances related to low-impact BES Cyber Systems. A CIP Exceptional Circumstance includes, among other situations, a risk of injury or death; natural disasters; civil unrest; imminent or existing hardware, software, or equipment failures; and cybersecurity incidents requiring emergency assistance. During a CIP Exception Circumstance, certain CIP requirements can be waived.
These revisions are the result of a lengthy stakeholder development process, and ultimately received strong support from the industry in stakeholder voting. The revisions also close the gaps in the CIP-003 Reliability Standard identified by FERC. As a result, the revised standard is likely to be approved by FERC. However, to the extent utilities have concerns over the substance or clarity of the proposed language, the upcoming notice and comment process at FERC will provide the last good opportunity to receive binding guidance from the Commission or challenge the language in the new standard.
The North American Electric Reliability Corporation (NERC) recently submitted two proposed Reliability Standards to improve the real-time data exchange capabilities of Reliability Coordinators, Transmission Operators, and Balancing Authorities. The modified Reliability Standards (IRO-002-5 and TOP-001-4) add new obligations requiring Reliability Coordinators, Transmission Operators, and Balancing Authorities to have real-time data exchange capabilities with redundant and diversely routed data exchange infrastructure within their primary control centers. These entities would also be required to test their redundant functionality at least every 90 days.
The White House’s newly released National Electric Grid Security and Resilience Action Plan contains dozens of directives to various federal agencies for enhancing the electric grid’s resilience in the face of cyber threats, physical attacks, and natural disasters. Many of the directives build on different programs that federal agencies already run, but for the first time, this action plan synthesizes those disparate initiatives and focuses them on three goals: protecting the grid’s vulnerabilities, improving responses to contingencies, and building a more resilient system.
Notably, the action plan realizes that many of these directives can only be achieved with public utilities’ participation and that cost recovery of investments for grid resiliency is essential if the government expects significant private investment to address the existing system vulnerabilities.
Read the full LawFlash: White House Releases Checklist to Improve Grid Resiliency.