The marriage between Exelon and PSEG would create the largest electric utility in the United States. The policy implications could loom even larger, however. Standing at risk is nothing less than...
Setting the Standard
NERC’s new cyber security rules may minimize cost of compliance, but they leave utilities guessing on how to identify risks.
would keep the guidelines flexible and allow updates outside the cumbersome standard-setting process, which requires FERC’s OK.
In fact, NERC already has offered some guidance in its “Frequently Asked Questions,” a 30-page document posted on its website:
QUESTION: Why aren’t all Cyber Assets associated with the Bulk Electric system required to be secured and protected under the Cyber Security Standards?
ANSWER: The implementation … is limited … by focusing on Critical Assets … that are essential to the operation of the bulk electric system … .
Yet consider another Q&A paragraph, appearing further down on the very same page:
QUESTION: Does redundancy of the Critical Asset or a Critical Cyber Asset change the criticality of these assets?
ANSWER: No, in NERC’s Cyber Security Standards, redundancy does not affect the criticality of any asset.
The DOE’s Western Area Power Administration may have solved the problem. WAPA claims it has isolated its SCADA and AGC systems so as to have “very little interaction” with the outside world.
“There is no access to the Internet, no email, and no connectivity to the corporate network.”
Cost of Compliance
FERC pegs the annual industry-wide cost of compliance at $24.7 million, but MidAmerican Energy counters that as a single company, its costs likely will equal a “substantial fraction” of FERC’s total estimate.
Reliant Senior Counsel Gretchen Scott notes that compliance costs for critical black-start generating units could well exceed revenues. As she explains in her company’s written comments, “Reliant is aware that numerous companies in the industry are evaluating whether they can continue to provide black start service when to do so would be at a loss.”
NERC handles compliance cost in a trio of concepts—“reasonable business judgment,” “technical feasibility,” and “acceptance of risk”—that all mean essentially the same thing. That is, an industry participant can decline to fix a cyber risk if it would prove too costly or create new risks for operations or reliability. Such ideas, however, have riled regulators and software experts.
In December 2006, in its preliminary assessment, the FERC staff warned that “for interconnected control systems of various entities, an acceptance of a cyber risk by one entity marks an acceptance of the risk for all connected entities. The staff report added that any party accepting risk would become “the weak link in the chain.”
That warning led FERC in its July 2007 NOPR decision to instruct NERC to remove all traces of the term “acceptance of risk” from the final standards. FERC ordered the same fate for “reasonable business judgment.”
However, NERC now has conceded that FERC “makes a strong case” for killing the reference to “reasonable business judgment.” Utilities and NERC now say they do not object to removing language referring to “risk acceptance” or “reasonable business judgment”—as long as the re-write occurs through NERC’s stakeholder process, and retain a degree of flexibility.
A key question remains, however. Can companies claim technical infeasibility simply because costs are burdensome, as NERC insists? Or must utilities bend to FERC’s will, as expressed in the NOPR, and make costly upgrades