State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
Cyber Standards: FERC Asserts Its Authority
NERC’s first critical-infrastructure standard is now enforceable. But cyber rules await approval.
amount of work that the auditor has to do—and that the entity has to do—increases. “We’re starting off crawling, then walking and running,” Johnson says. “By 2009 and 2010, we really have to be at the top of our game.”
For now, Johnson says, “We need to get these people on board, trained, some first-hand experience in what to look for and how to conduct a good audit for cyber assets.”
With the federal commission keeping an eye on the industry and on the ERO, FERC wants it to be known that it can assert its independence, and its authority, at any time— although the ERO and regional entities typically initiate and conduct the investigation.
“The commission has a substantial role in the enforcement of CIP-001 and in fact, all of the reliability standards,” says FERC’s McClelland. “Although the ERO and the regional entities have the frontline responsibility for enforcement of the reliability standards, the commission does play a continuing and central role in enforcement matters.”
However, the commission wouldn’t step in and conduct its own investigation “unless it had some special reason to take this action,” he says. “If [NERC or a regional entity] gives us notice [of a violation], we can say, ‘That’s an important one,’ and send a team out. We can monitor and/or participate in the investigation, assume control of the investigation, or conduct an independent investigation. We have all those tools in our tool belt and will be using those tools as we move forward.”
Such oversight extends even to the possibility of accelerated implementation of the CIP-002 through 009 standards.
If there were a major outage prior to the approval and implementation of the remaining CIP standards, the commission “wouldn’t sit back and say, ‘Hey, that standard’s not mandatory and enforceable,’” McClelland says. “We would be prompted to action. The commission would look at the incident and consider whether implementation of the standard should be accelerated to protect the rest of the system.
“The commission can call for the ERO to develop and produce a standard. It can set a deadline, and it can accelerate that process if it’s in the interest of the reliability of the bulk-power system.”
As for what type of incident could provoke such action, McClelland responds in an open-ended fashion, suggesting that even approved standards are subject to revision if they prove to be ineffective:
“It could be anything. Say the proposed implementation date is 2011, and there’s a cyber-security incident that we see as a predominant threat. We could accelerate the timeline. Say it’s a new type of cyber threat that the standard didn’t contemplate. We could call for a new standard to be created by the ERO. Say it’s a standard in place, but it’s got a loophole. We could say, ‘We want a revision to this standard based on the incident that occurred.’”
But McClelland, after raising the possibility of FERC-imposed changes to NERC standards and enforcement, concludes with an olive branch to the ERO:
“All that said, the model is for the ERO and regional