State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
The Rush to Reliability
FERC races to impose NERC’s new rules, raising howls of protest in the process.
“as soon as possible,” “where technically feasible,” etc.), and require a fair bit of housekeeping. Others still lack required elements to guide enforcement and assessment of penalties (NERC now refers to the required “levels of non-compliance” as “violation severity levels”). That can leave them unworthy of approval without further improvements, with the commission unable to dictate what those improvements might be.
It’s a no-win game for FERC.
Defining the Scope of the Rule
The most peculiar aspect of NERC’s proposed standards and FERC’s responsive NOPR is this: There is no single list, guideline, or definition that can tell you exactly who must comply with the standards, and who is excused.
The only real touchstone is contained in EPACT, where Congress says that reliability standards will apply to “users, owners, and operators” of the “bulk power system” (BPS), which it then defines only as facilities and control systems necessary for running the interconnected transmission network (including generation), but excluding local distribution.
NERC’s proposals employ a comparable term, “bulk electric system” (BES), with an expanded definition that would apply largely (but not always) to facilities operated at voltages of 100 kV. Each RE (the regional reliability entity, by delegation agreement) will further define the scope of compliance. The REs would accomplish that in part by relying on NERC’s so-called “functional model” (a listing of 15 hypothetical industry entities, each assigned a unique task). REs would also refer to a document called the “Statement of Compliance Registry Criteria,” which would offer guidance on which industry players exert a “material impact” on the BES.
FERC by contrast, says it would follow NERC’s definition during an initial transition period. But thereafter, FERC writes in the NOPR that it likely would re-interpret the statute to cover what it sees as possible “gaps” in reliability. In short, FERC would up the ante and greatly expand the universe of entities subject to compliance. This prospect has raised howls of protest from public power interests on the difficulties faced by small systems, both to verify compliance requirements and then to carry them out to the letter (with all the associated software installations and record-keeping). FERC would mandate compliance with standards on a case-by-case, standard-by-standard basis. Utilities and others would need to study literally thousands of standards, requirements, measures, and metrics, simply to confirm the required scope of compliance.
To be precise, FERC would “interpret” EPACT’s BPS term more broadly and thus mandate compliance for all facilities 100 kV or larger, plus smaller facilities that could limit or supplement operations of the larger network, or serve “significant” load centers or local distribution networks. Compare that with EPACT, and with NERC’s BES definition. What do these differences imply, exactly, apart from a strict law-school-style analysis of the legislative history, and all other parallel interpretations of all the statutory terms?
According to NERC, reliability standards have targeted the problem of cascading or uncontrolled failures that spread through system equipment across regions, or even whole continents. Thus, NERC says it has narrowed it BES definition, the better to focus on the identified target.