State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
Cyber Standards: FERC Asserts Its Authority
NERC’s first critical-infrastructure standard is now enforceable. But cyber rules await approval.
In the midst of a long, hot summer, North American utilities have to worry about more than the typical seasonal strain on the grid. They need to be thinking about sabotage and cyber security.
Never far from administrators’ minds, sabotage has taken on even more importance with the approval of the first Critical Infrastructure Protection (CIP) standard by the North American Electric Reliability Corp. (NERC). At press time, a final rule on several cyber-security standards was expected soon.
NERC submitted numerous reliability standards for approval to the Federal Energy Regulatory Commission (FERC), which last year certified NERC as the nation’s Electric Reliability Organization (ERO). As of June 18, 2007, 83 of the standards—including the first CIP standard (see sidebar, “Standard CIP-001—Sabotage Reporting”) —have been approved.
But what about the other CIP standards—CIP-002 through 009—which deal mainly with cyber security? Those standards, approved by NERC, are mandatory, but until FERC approves them, not enforceable. “I think that there is a misperception out there that the ERO is the nation’s reliability regulator and that the commission isn’t very involved in the process,” says Joe McClelland, director of the division of reliability at FERC. “That’s not really the legislative model. We do have independent authority to do these things … and we will be actively involved.”
Cramping the ERO’s Style?
Although NERC has no compliance audits scheduled for the remainder of 2007, that does not mean utilities are off the hook—either for sabotage-reporting compliance (CIP-001), or the several cyber-security mandates awaiting FERC approval. But the hardest compliance work will come after final approval of CIP-002 through 009.
“As far as standards go, [CIP-001] is a relatively minor standard,” says Stan Johnson, NERC manager, Situational Awareness and Infrastructure Security. “It’s not an area that we’ve had a lot of problems with within the industry, and it’s not one our compliance group is focusing on. The fact that we haven’t scheduled any audits around CIP-001 the rest of this year is more to do with [us] looking at the things that we think are really important and can clearly affect the reliability of the grid.
“Not to downplay CIP-001 too much, but it’s not a heavy hitter compared with some of the other standards we’re out there doing audits on.”
A Notice of Proposed Rulemaking (NOPR) on CIP-002 through 009 was, at press time, anticipated in the “near future,” according to FERC’s McClelland.
The approval of CIP-001 was part of a group of 83 reliability standards that took effect in June, while CIP-002 through 009, yet to be approved by FERC, have an implementation schedule stretching out through 2010. But for now, the full requirements of CIP-001 must be met.
“The industry needs to remember that these CIP-002 through 009 standards, although they are not enforceable with penalties, are mandatory with NERC, and they need to be working to implement part of this implementation schedule,” says NERC CIO Lynn Costantini. “We do expect