NERC Today and Tomorrow
Living in the new world of mandatory reliability standards.
also has issued draft guidance for categorizing cyber systems. 19 The informal comment period for the guidance document ended in February 2010. As part of extensive revisions according to FERC Order 706, proposed changes to critical cyber asset identification in CIP-002-4 may replace terms such as critical assets and critical cyber assets. 20 Instead, the cyber system and bulk electric system subsystem will be categorized according to their potential level of impact on reliable operation. Registered entities then will map systems according to the impact categories. The guidance document here could serve a crucial role as to the registered entities’ understanding of the new standard and how regulatory entities assess compliance.
The long NERC standards development process constitutes a basic logistical challenge, which can impede timely responses to security risks. It could be considered a minor issue in the pending legislation to give FERC more authority to deal with cyber security issues. 21 The current standards development process simply can’t keep up with rapidly changing security situations. Besides legislative changes, another solution might be guidelines. For example, smart-grid guidelines have the potential to be more agile and capable of addressing immediate problems by not passing through the mandatory standards development process. While the real-time tools best practices task force engaged in fact finding for three years, guidelines can be developed within a shorter timeframe and with a less complicated process. Despite the lack of enforceability, the non-mandatory guidelines can assist with how a bulk power systems participant assesses smart-grid equipment as to overall effect on reliability and can identify certain useful resources, if any. They also can suggest steps that should be taken before applications are installed or changed. Last, they can suggest security practices beyond those required by the mandatory standards. Over time, more examples of excellence will develop to further assist with reliability challenges.
In general, guidelines and examples of excellence are helpful in changes with far-reaching consequences, such as the smart grid. Guidelines and examples of excellence create awareness of the considerations that will ensure bulk-power system reliability in order to prevent loss of money and resources from a blackout for the electric industry and customers alike.
Formal standards compliance and enforcement procedures have been in place only since June 2007. The transition period from June 18, 2007, to Dec. 31, 2007, was a period when entities were encouraged to self report and NERC and regional entities had enhanced enforcement discretion to dismiss or settle violations. 22 When the transition period ended, violations were processed in a uniform manner. Violations have decreased from 2007 to 2008. Before June 18, 2007, there were 5,079 violations reported and almost half were dismissed, and for all of 2008 the regional entities reported only 1,646 violations. 23 From these facts, it’s simply too soon to conclude that the decrease is due to increased compliance and not due to the special circumstances during the transition period. Likewise, mitigation compliance improved from 2007 to 2008, but again, this might be due to relaxed compliance assessments and a newly installed staff. At the compliance