State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
Too Much Reliability
NERC confronts a case backlog now numbering in the thousands.
the actual harm from load loss in the Turlock event:
“Because the consequences of Turlock’s alleged violation are much more severe … the penalty against Turlock arguably should be higher than the highest penalty amount yet assessed for the same violation.”
These words sent shock waves through the industry. In fact, FERC’s July summit was likely called to calm fears arising from Turlock, as Commissioner Spitzer implied in his opening statement—“I want to assure you that loss of load is not a per se violation of the reliability standards … that’s not the Federal Power Act.”
But industry experts decidedly were not assured. They noted repeatedly that NERC has always treated load-shedding as good utility practice if that’s the last option in the operator’s tool box to avoid a cascading outage across a wide region.
APPA CEO Mark Crisson observed that under FERC’s penalty guidelines as originally proposed last March (later finalized in September, after the summit, as noted in the November Fortnightly, p. 34, “Top Ten legal Decisions of 2010”), the Turlock outage could warrant a $15 million penalty:
“That’s pretty close to the annual budget of a system with 20,000 customers.”
And the threat could prove as bad (or worse) than the execution. At the November conference, testifying on behalf of the Large Public Power Council, Sacramento Municipal Utility District CEO John DiStasio explained how municipal utilities must walk the line:
“There is often a huge chasm between the potential penalties detailed in a Notice of Alleged Violation, and the settlement with a regional entity. That gap seems to us often to signify that the NOAV is out of proportion with what the regional entity reasonably believes the violation is worth.
“This is especially true for a municipal utility seeking financing, which must report the potential liability, even if the ultimate result is not likely to be damaging. The potential penalty may leave a utility little choice but to enter into a settlement, even if it genuinely believes it acted appropriately.”
FERC’s stick-and-carrot approach (first the wake-up call, then outreach at the summit) appears to be paying dividends.
For example, the electric industry seems united in favor of a less-onerous administrative sanction—a “traffic ticket”—in the case of minor violations, such as documentation failures, that pose little if any risk to reliability. FERC endorsed that approach formally in its three-year performance assessment issued in September, but nevertheless advised that utilities cannot simply plead nolo contendre . Rather, any traffic ticket must come with a legal finding that a violation in fact occurred. Otherwise, FERC said, the prior violation could escape notice if a repeat violation should occur, leading to “insufficient recognition” of compliance history in a subsequent penalty matter ( See, 132 FERC ¶61,217, para. 219 ).
FERC Chairman Wellinghoff raised the matter again at the November conference, asking NERC CEO Cauley “how fast” he would put a traffic ticket regime in place.
“We’re shooting for January,” said Cauley, “but not on the first.
“And that’s 2011,” he added, for good measure.
And last month NERC submitted