The Federal Energy Regulatory Commission (FERC) has approved the North American Electric Reliability Corporation’s (NERC’s) motion to defer implementation of seven reliability standards—including for grid cybersecurity—that were slated to become effective this year.
In an April 17 order, FERC approved NERC’s April 6 requested motion to defer the implementation of the standards, which have effective dates or phased-in implementation dates in the second half of 2020. The measure was prudent because though bulk power system registered entities “have taken steps to prepare for contingencies,” it is “reasonable to provide them additional flexibility to properly allocate resources to address the impacts of COVID-19,” FERC said.
In a statement on Monday, however, NERC said it is continuing to evaluate “circumstances to determine whether more implementation delays may be needed. While this motion addresses only those Reliability Standards scheduled to become effective during the remainder of 2020, NERC recognizes that there are significant uncertainties regarding the duration of the outbreak and the subsequent recovery.”
Reliability Standards Affected by FERC Order
In its April 6 motion, NERC—the FERC-certified Electric Reliability Organization—asked that entities receive three more months to implement a suite of three cybersecurity standards that it has deemed essential to protect the bulk power system from debilitating attacks.
- CIP-005-6—Cyber Security – Electronic Security Perimeter(s), by three months; new proposed effective date: Oct. 1, 2020.
- CIP-010-3—Cyber Security – Configuration Change Management and Vulnerability Assessments, by three months; new proposed effective date: Oct. 1, 2020.
- CIP-013-1—Cyber Security – Supply Chain Risk Management, by three months; new proposed effective date: Oct. 1, 2020.
Approved by FERC in 2018, these standards require entities to develop and implement supply chain cybersecurity risk management plans and implement new controls. In its motion, NERC said the delay was necessary because the pandemic could affect supply chains and prompt personnel disruptions.
Other standards include:
- PER-006-1—Specific Training for Personnel, by six months; new proposed effective date for the U.S.: April 1, 2021.
- PRC-027-1—Coordination of Protection Systems for Performance During Faults, by six months, new proposed effective date: April 1, 2021.
- PRC-002-2—Disturbance Monitoring and Reporting Requirements (phased-in implementation for Requirements R2-R4 and R6-R11), by six months, new proposed effective date: Jan. 1, 2021.
- PRC-025-2—Generator Relay Loadability (phased-in implementation for Requirement R1, Attachment 1, Table 1 Relay Loadability Evaluation Criteria Options 5b, 14b, 15b, 16b), by six months; new proposed effective date: Jan. 1, 2021.
These standards would have required industry to develop and implement generator plant staff training programs, integrate the functions and limitations of protection systems and action schemes into their operational planning analyses and real-time assessments, and monitor and report disturbances. (An explanation of all deferred standards are here: NERC Moves to Defer Reliability Standards, Provide COVID-19 Flexibility.)
Three-Day Response Period
Of specific note is that FERC nearly immediately granted NERC’s April 6 request for a shortened response period, giving industry only three days to respond to NERC’s measure.
Trade groups representing nearly all North American grid operators—including AESO, CAISO, ERCOT, IESO, ISO-NE, MISO, NYISO, PJM, and SPP—as well as generating companies, represented by the Edison Electric Institute, the American Public Power Association, the National Rural Electric Cooperative Association, and the Large Public Power Council, quickly filed motions lauding NERC’s motion.
Industry response, including to comments sent to POWER, have been, for the most part, positive, especially as they relate to the cybersecurity standards. As Alex Santos, CEO of Fortress Information Security wrote: “These are unprecedented times and we fully support FERC’s approval of NERC’s request to delay the implementation of several security policies until October 1.” He added: “Our nation’s power grid remains strong and secure, but this summer will require utilities of all types and sizes across the country to come together and collaborate to identify critical risks and protect the supply chain from emerging threats.”
Perhaps owing to the shortened response time, FERC received only one response opposing the measure. Grid security advocacy group Protect Our Power urged FERC to shorten the 90-day delay of the supply chain cybersecurity standard. The threat posed by cybersecurity concerns is widespread and insidious, it suggested, noting: “It is undeniable that the risk that foreign governments, rogue agents and hackers pose to the electric grid, and to the supply chain for the grid, is a crisis unto itself.”
FERC also received a single protest, filed by Michael Mabee, a private citizen who is a member of the ad hoc Secure the Grid Coalition. Mabee decried the three-day response period as “unreasonably” short. He also argued that because the U.S. government, NERC, and the electric industry have been aware of a pandemic threat for years, it should have been prepared. “If the Commission believes it must grant the requested relief, then this is evidence that the industry was not adequately prepared for a pandemic,” he wrote. “Therefore, if granting the requested relief, the Commission should also direct NERC to develop a CIP standard for pandemic and biological hazard preparedness.”
In its order on Friday, FERC said, “Even if the answer and protest had been timely submitted, we would have denied them on the merits.”
It added: “We are unpersuaded that NERC’s requested three-month extension ‘may not be in the public interest’ and find that, although registered entities have taken steps to prepare for contingencies, it is nevertheless reasonable to provide them additional flexibility to properly allocate resources to address the impacts of COVID-19. NERC’s requested extension allows entities to do so and NERC has indicated that granting the motion will not adversely impact the reliability of the Bulk-Power System.”
Standards Still Subject to Future Enforcement
According to a POWER analysis, at least five other reliability standards already approved by FERC remain unaffected by FERC’s April 17 order. These remain subject to future enforcement. “I would not say we are actively considering implementation delays for these or any other standards, but as conditions evolve we would consider whether additional delays are necessary,” Howard Gugel, vice-president and director of Standards and Engineering at NERC, told POWER on April 22. “This might include standards that are scheduled to become effective in 2021 or 2022. It all depends on the facts and circumstances,” he said.
TPL-007-4—Transmission System Planned Performance for Geomagnetic Disturbance Events (October 2020, phased in through 2024). Establishes requirements for Transmission system planned performance during geomagnetic disturbance (GMD) events.
CIP-008-6—Cyber Security — Incident Reporting and Response Planning (January 2021). Mitigates the risk to the reliable operation of the BES as the result of a Cyber Security Incident by specifying incident response requirements.
PRC-012-2—Remedial Action Schemes (effective January 2021, phased in through 2027). Ensures that Remedial Action Schemes (RAS) do not introduce unintentional or unacceptable reliability risks to the BES.
CIP-012-1—Cyber Security – Communications between Control Centers (July 2022). Protects the confidentiality and integrity of Real-time Assessment and Real-time monitoring data transmitted between Control Centers.
TPL-001-5—Transmission System Planning Performance Requirements (July 2023). Establishes Transmission system planning performance requirements within the planning horizon to develop a Bulk Electric System (BES) that will operate reliably over a broad spectrum of System conditions and following a wide range of probable contingencies.