State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
Cyber Standards: FERC Asserts Its Authority
NERC’s first critical-infrastructure standard is now enforceable. But cyber rules await approval.
FERC to take action on these standards in the relatively near future,” she adds.
Once FERC takes action on CIP-002 through 009, a NOPR and industry comment period will follow before the commission issues a final rule.
In issuing the first 83 reliability standards, FERC also directed the ERO and regional entities to focus on the most serious violations through the end of the current calendar year.
The implementation plan announced for CIP-002 through 009 remains in effect and will be watched by NERC and its regional entities. Balancing authorities, transmission-service providers, and transmission operators are expected to have begun work toward compliance on all cyber-related mandates, although auditable compliance—supported by at least 12 months of data—won’t be required until 2010, or, in some cases, 2009.
In announcing the advent of its CIP enforcement earlier this summer, NERC said it had prepared for June 18 by putting systems and people in place, training compliance auditors both at NERC and at its regional entities, and by establishing a compliance hotline.
“We are hiring people to do these audits. The regions are [hiring] also,” Johnson confirms. “Clearly, our staff has grown in the past two years from about 50 people here at NERC in Princeton, N.J., to now approaching 100. The regions have seen not quite as much growth, but they’re also adding significant staff.
“We’re [also] putting in a new computer system that will help us with the scheduling of these audits, the reports that will be written. We’re doing all those things to help us be a professional auditing organization.”
Among total new employees, about 80 percent are in NERC’s enforcement group and its readiness group, which goes out on a periodic basis and helps prepare entities for a compliance audit.
Ready to Go
But what if FERC were to approve NERC’s cyber standards tomorrow? Would the commission’s new staff be ready to conduct the required audits?
“We would be,” Johnson says, but only according to the current implementation plan, with its lesser compliance goals set for 2007 and 2008. Depending on whether a responsible entity self-certified to the requirements of NERC’s earlier standard, known as NERC 1200—applicable mostly to organizations that operated transmission control centers—the entity must have at least begun work toward compliance. As of the conclusion of the second quarter of 2007, self-certifying transmission operators, reliability coordinators, and balancing authorities are to have begun work on CIP-002 through 009, and must achieve substantial compliance for some requirements by the end of June 2008. For those entities that were not required to self-certify to NERC 1200, the threshold is only that they have begun work toward compliance with the cyber standards.
“The burden of proof there is nowhere near as significant as if the entity has to prove they are auditably compliant,” Johnson says of the requirements to show that a responsible entity has begun work toward compliance. “The auditor doesn’t have to be as sophisticated as they will be when they will have to determine that the entity is auditably compliant.”
As each entity moves toward auditable compliance, the