Leadership Lyceum

Leadership Lyceum: A CEO’s Virtual Mentor

This podcast series focuses on corporate and industry strategy and trends from the direct vantage point of key industry leaders. Subscribe to the podcast at Apple iTunes. Interviews with Tom Fanning and Bob Flexon are available, as well as one with Joe Rigby, Bob Skaggs and Les Silverman.

See Podcasts

Public Utilities Reports

PUR Guide Fully Updated Version

Available NOW!
PUR Guide

This comprehensive self-study certification course is designed to teach the novice or pro everything they need to understand and succeed in every phase of the public utilities business.

Order Now

Cyber Standards: FERC Asserts Its Authority

NERC’s first critical-infrastructure standard is now enforceable. But cyber rules await approval.

Fortnightly Magazine - August 2007

In the midst of a long, hot summer, North American utilities have to worry about more than the typical seasonal strain on the grid. They need to be thinking about sabotage and cyber security.

Never far from administrators’ minds, sabotage has taken on even more importance with the approval of the first Critical Infrastructure Protection (CIP) standard by the North American Electric Reliability Corp. (NERC). At press time, a final rule on several cyber-security standards was expected soon.

NERC submitted numerous reliability standards for approval to the Federal Energy Regulatory Commission (FERC), which last year certified NERC as the nation’s Electric Reliability Organization (ERO). As of June 18, 2007, 83 of the standards—including the first CIP standard (see sidebar, “Standard CIP-001—Sabotage Reporting”) —have been approved.

But what about the other CIP standards—CIP-002 through 009—which deal mainly with cyber security? Those standards, approved by NERC, are mandatory, but until FERC approves them, not enforceable. “I think that there is a misperception out there that the ERO is the nation’s reliability regulator and that the commission isn’t very involved in the process,” says Joe McClelland, director of the division of reliability at FERC. “That’s not really the legislative model. We do have independent authority to do these things … and we will be actively involved.”

Cramping the ERO’s Style?

Although NERC has no compliance audits scheduled for the remainder of 2007, that does not mean utilities are off the hook—either for sabotage-reporting compliance (CIP-001), or the several cyber-security mandates awaiting FERC approval. But the hardest compliance work will come after final approval of CIP-002 through 009.

“As far as standards go, [CIP-001] is a relatively minor standard,” says Stan Johnson, NERC manager, Situational Awareness and Infrastructure Security. “It’s not an area that we’ve had a lot of problems with within the industry, and it’s not one our compliance group is focusing on. The fact that we haven’t scheduled any audits around CIP-001 the rest of this year is more to do with [us] looking at the things that we think are really important and can clearly affect the reliability of the grid.

“Not to downplay CIP-001 too much, but it’s not a heavy hitter compared with some of the other standards we’re out there doing audits on.”

A Notice of Proposed Rulemaking (NOPR) on CIP-002 through 009 was, at press time, anticipated in the “near future,” according to FERC’s McClelland.

The approval of CIP-001 was part of a group of 83 reliability standards that took effect in June, while CIP-002 through 009, yet to be approved by FERC, have an implementation schedule stretching out through 2010. But for now, the full requirements of CIP-001 must be met.

“The industry needs to remember that these CIP-002 through 009 standards, although they are not enforceable with penalties, are mandatory with NERC, and they need to be working to implement part of this implementation schedule,” says NERC CIO Lynn Costantini. “We do expect