FERC Staff issued an October 4 report on Commission-led critical infrastructure protection (CIP) reliability audits completed during fiscal year 2019. The report provides lessons learned and identifies voluntary practices that FERC Staff observed during those audits that could improve the protection of electric infrastructure from cyberattacks.
Facing what it deems an “unprecedented number of FOIA requests” for nonpublic information related to utility violations of the North American Electric Reliability Corporation (NERC) critical infrastructure protection (CIP) requirements governing cybersecurity compliance for critical electric infrastructure, FERC Staff has issued a white paper proposing to make publicly available additional information regarding those violations, including the names of the utilities involved. If adopted, this proposal could increase the risk of a serious and successful attack on the nation’s electric infrastructure with no benefit other than a “name and shame” approach to CIP enforcement.
For the first time, FERC has found that significant investments in an existing licensed hydroelectric facility by a licensee will be considered when establishing the license term in a relicensing proceeding, potentially aiding the licensee in obtaining a longer license term.
Section 15(e) of the Federal Power Act (FPA) provides that any license issued shall be for a term that FERC determines to be in the public interest, but no less than 30 years or more than 50 years. Under its 2017 Policy Statement on Establishing License Terms for Hydroelectric Projects, FERC established a 40-year default license term policy for original and new licenses. The Policy Statement included exceptions to the 40-year license term under certain circumstances, including establishing a longer license term upon a showing by the license applicant that substantial voluntary measures were either previously implemented during the prior license term, or substantial new measures are expected to be implemented under the new license.
FERC recently approved proposed Reliability Standard CIP-008-6, which expands the mandatory reporting requirements for Cyber Security Incidents that attempt to compromise the operation of the bulk power system. Under the new standard, electric utilities will need to implement more comprehensive internal controls for identifying, reviewing, and reporting cyber incidents and attempted cyber intrusions than are currently required. The new standard goes into effect on January 1, 2021.
As we reported, NERC developed the revised standard in response to the Commission’s directive to broaden the scope of mandatory reporting of Cyber Security Incidents. In particular, the Commission was concerned with the risk posed by malicious intrusion attempts that might facilitate subsequent efforts to harm the reliable operation of the bulk power system.
New Jersey advanced several of the Murphy administration’s clean energy goals during June 2019. Over the past month, the state released a draft of its revised Energy Master Plan (EMP), approved the Ocean Wind offshore wind project proposed by Ørsted, and released a detailed analysis on energy storage development in New Jersey.
Consolidated Edison Company of New York, Inc. (Con Edison) and Orange and Rockland Utilities, Inc. (O&R) issued a draft joint Request for Proposals (RFP) on May 31 to competitively procure scheduling and dispatch rights from new energy storage projects. Through this initial solicitation, Con Edison and O&R are targeting at least 300 megawatts (MW) and 10 MW, respectively, of new energy storage facilities to meet the in-service deadline of December 31, 2022, set by the New York Public Service Commission (NYPSC) in its December 2018 Order (Storage Order) establishing New York’s three gigawatt (GW) energy storage deployment goal.
Both utilities will accept bids only for new storage projects sized over five MW and connected to the transmission or distribution system that can directly participate in New York Independent System Operator (NYISO) markets and provide distribution benefits, if applicable. These front-of-meter systems must be able to discharge for at least four hours 100 to 350 times per year, have at least 85% roundtrip efficiency, and maintain 98% availability for dispatch each contract year.
The supply chain risks facing electric utilities have long been a concern for industry stakeholders and regulators alike. Reflecting those concerns, NERC submitted a report on May 28 to FERC recommending the expansion of requirements addressing supply chain cybersecurity risks for electric utilities, concluding that the scope of those requirements needed to expand to match the scope of the cybersecurity risk. The development of such revised standards will itself be a lengthy process and subject to additional FERC review.
FERC Staff issued a report on March 29 on Commission-led critical infrastructure protection (CIP) reliability audits completed for fiscal years 2016 through 2018. The report provides lessons learned from those audits, as well as voluntary recommendations on cybersecurity practices to enhance the protection of electric infrastructure from cyberattacks. Even though many of these recommendations go beyond what is necessary for compliance with the mandatory CIP reliability standards, FERC is likely to view implementation of these recommendations as evidence of a strong cybersecurity culture that proactively addresses best cybersecurity practices and evolving threats. That can, in turn, have positive ramifications for utilities undergoing cybersecurity reviews by FERC, NERC, or the Regional Entities.
The North American Electric Reliability Corporation (NERC) petitioned the Federal Energy Regulatory Commission (FERC) on March 7 to approve a revised reliability standard for electric utilities aimed at enhancing existing cybersecurity incident reporting. The proposed CIP-008-6 reliability standard would expand the scope of the type of assets subject to incident reporting and the categories of incidents affecting those systems that must be reported. If FERC approves the standard as proposed, compliance will require more comprehensive internal controls for identifying, reviewing, and reporting cyber incidents affecting electric utilities.
As we reported in December 2018, to jumpstart the energy storage market as envisioned by Governor Andrew M. Cuomo, the New York Public Service Commission (NYPSC) issued an order establishing an aggressive 3 GW energy storage goal by 2030, with an interim target of 1.5 GW by 2025, and directing investor-owned electric utilities (IOUs) to engage in competitive procurements for energy storage. The IOUs will issue draft requests for proposals (RFPs) this summer following a stakeholder process that kicks off on March 29.