State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
NERC's Reliability Standards: The Good, the Bad, and the Fill-in-the-Blanks
How to prepare for mandatory enforcement.
to ensure compliance. While there will not be one “right way” to ensure compliance, some common process-oriented undertakings will help facilitate the achievement of compliance and the instillation of “cultures of compliance” that FERC expects of those subject to its rules.
• Procedures and Business Practices to Implement Reliability Standards. FERC has not yet approved NERC’s proposed reliability standards as the final reliability standards, but it is not too early for bulk-power system users to begin the process of developing procedures and business practices for implementing the reliability standards. The outlines of the final reliability standards, if not the final details, are clear from NERC’s proposed standards. Entities should be planning their implementation guidelines and programs now.
• Training. Employee buy-in of a culture of compliance with the ERO’s reliability standards (as part of an overall culture of compliance with all applicable regulatory requirements) will improve with the involvement of relevant employees in the training process. The key to success is to design a compliance-training program that provides practical guidance to affected employees, demonstrates senior management support, and gives employees opportunities to raise questions and discuss concerns.
• Compliance Assessment. FERC has emphasized the importance of objective, third-party participation to assess compliance programs. Experience with other FERC compliance matters shows that third-party compliance assessments can help companies strengthen their compliance-related performance and demonstrate a commitment to compliance.
EPACT’s establishment of a new regulatory regime centered on bulk power-system reliability and mandatory compliance with new reliability standards increases the regulatory risk faced by every user, owner, and operator of the bulk power system. Companies that fail to comply risk substantial penalties and potentially significant reputational and financial risk.
Nevertheless, cost-effective compliance is feasible, and companies that establish proactive compliance programs can protect themselves from reliability standards violations and the negative regulatory and financial consequences that will accompany those violations. Given the importance of reform and the significant potential consequences of failure, companies with a stake in the bulk power system should not delay in developing strategies to adapt to the new mandatory compliance world for electric reliability.
1. Commission Staff Preliminary Assessment of the North American Electric Reliability Council’s Proposed Mandatory Reliability Standards (May 11, 2006).
2. Statement of Chairman Joseph T. Kelliher regarding promulgation of Reliability Final Rule, Feb. 2, 2006.
3. Rules Concerning Certification of the Electric Reliability Organization; and Procedures for the Establishment, Approval, and Enforcement of Electric Reliability Standards, Order No. 672, 71 FR 8,662 (Feb. 17, 2006), FERC Stats. & Regs. Regulations Preambles ¶ 31,204 (2006), order on reh’g, 114 FERC ¶ 61,328, Order No. 672-A.
4. 18 U.S.C. § 1505.
5. See, e.g., United States v. Senffner, 280 F3d 755, 761 (7th Cir. 2002) (an SEC investigation is a “proceeding”).
6. Enforcement of Statutes, Orders, Rules, and Regulations, Policy Statement on Enforcement, 113 FERC ¶ 61,068 (2005), 70 Fed. Reg. 66,378 (Nov. 2, 2005) (Policy Statement on Enforcement).
7. See, Request of the North American Electric Reliability Council and North American Electric Reliability Corporation for Certification as the Electric Reliability Organization at Appendix