FERC, CFTC, and State Energy Law Developments

On December 7, the Energy Bar Association sponsored a discussion on FERC-led audits of entities’ compliance with the North American Electric Reliability Corporation’s (NERC’s) critical infrastructure protection (CIP) Reliability Standards. Staff members from FERC and NERC led the discussion and fielded questions from industry participants. This session provided the first public peek into the process for the CIP audits.

While FERC has the authority to conduct its CIP audits with or without NERC and the regional entities charged with front-line enforcement of the Reliability Standards, the panelists explained that FERC wanted to coordinate with NERC and the regional entities to leverage their collective compliance and enforcement experience.

On November 17, FERC adopted regulations to enhance the protection of Critical Energy Infrastructure Information (CEII) using its new statutory authority from the Fixing America’s Surface Transportation Act (FAST Act), which added Section 215A to the Federal Power Act.

In addition to finalizing the new protections for CEII promised in the initial notice of proposed rulemaking, the final rule also adopts a prohibition on the disclosure of CEII under the Freedom of Information Act (FOIA). The FAST Act had, for the first time, exempted CEII from FOIA disclosure. In the past, FERC had taken the position that it would not disclose CEII in response to FOIA requests, but there was no explicit statutory basis for doing so. With the new statute and implementing regulations, there is no longer any legal doubt regarding the FOIA-exempt nature of CEII.

Despite the apparent strict nature of these protections, the degree to which CEII will be protected remains to be seen. Although CEII is FOIA-exempt under the FAST Act, FERC continues to provide procedures whereby interested parties can submit requests for CEII and be granted access if such interested parties show a legitimate need and commit to non-disclosure. In the past, FERC has generally been willing to share CEII upon request; the new regulations provide modest additional regulatory procedures for such requests, but it is possible that FERC will continue its policy of making CEII easily available to interested parties. The language in the FAST Act does allow FERC to decline to disclose CEII, but—so far—FERC has not chosen to take that route.

In a final rule issued on September 22, the Federal Energy Regulatory Commission (FERC) established requirements for certain entities to assess the vulnerability of their transmission systems to geomagnetic disturbance (GMD) events. Such events occur when the sun ejects charged particles that interact and cause changes in the earth’s magnetic fields.

Reliability Standard TPL-007-1 (Transmission System Planned Performance for Geomagnetic Disturbance Events) sets requirements for certain transmission and generator owners, planning coordinators, and transmission planners to assess the vulnerability of their systems to a benchmark GMD event, described as a “one-in-100-year” event. Those entities are required to develop

  • system models necessary to complete the vulnerability assessments at least once in every 60 calendar months and
  • criteria for acceptable steady state voltage performance during a benchmark GMD event.

On July 21, FERC directed NERC to develop a new or modified “forward-looking, objective-driven” Reliability Standard that addresses supply chain risk management for industrial control system hardware, software, and computing and networking services (“cyber controls”) associated with BES operations. FERC required the standard to address

  • software integrity and authenticity;
  • vendor remote access;
  • information system planning; and
  • vendor risk management and procurement controls.

FERC is concerned that a “gap” exists in the CIP Reliability Standards, which has been highlighted by recent events where malware campaigns have targeted supply chain vendors in BES cyber control systems.

FERC expressed concern that vulnerable systems may be attacked either through hardware or software components of a cyber-control system or a third-party service provider may be attacked who has access to sensitive IT infrastructure or that holds or maintains sensitive data.

On July 21, prompted by cyberattacks highlighting cyber system vulnerabilities that may be exploited to attack the operation and maintenance of interconnected networks, FERC sought comment from industry participants on possible modifications to the CIP Reliability Standards that could address the cybersecurity of control centers used to monitor and control the BES in real time.

The Commission seeks comment on the following:

  • The operational impact of forming a separation between the internet and BES control center cyber systems performing transmission operator functions through use of physical (hardware) or logical (software means).
  • Whether rules should be implemented concerning “application whitelisting,” computer administration practices that would prevent unauthorized programs from running on a system network. FERC believes that application whitelisting could be a more effective mitigation tool than other mitigation measures because whitelisting allows only software applications and processes that are reviewed and tested before use in the system network.

In a final rule issued on June 16, the Federal Energy Regulatory Commission (FERC) directed the North American Electric Reliability Corporation (NERC) to make available to FERC staff certain databases developed by NERC that contain detailed, entity-specific information on transmission and generation assets as well as protection system misoperations.

FERC concluded that it needs access to the information in these databases to carry out its reliability responsibilities under section 215 of the Federal Power Act, including the identification of needed new or modified reliability standards and a better understanding of NERC’s periodic reliability and adequacy assessments. The only changes from FERC’s initial proposal were to limit FERC staff’s access to information about US facilities and to exclude any information voluntarily provided to NERC.

On March 21, 2016, the North American Electricity Reliability Corporation (NERC) submitted an informational filing to update the Federal Energy Regulatory Commission (FERC or Commission) on the implementation of the Risk-Based Registration (RBR) initiative—a program NERC launched to reduce unnecessary compliance and registration burdens through the use of risk-based assessments. The filing is an example of NERC’s continued push towards implementing a risk-based approach to reliability and focusing compliance and enforcement efforts on high-risk areas. As reflected in the filing, certain low-risk entities have been dropped from the NERC Compliance Registry, removing the reliability compliance obligations to which those entities were previously subject.

The electric utility industry has spent vast amounts of money on cybersecurity, an investment that has steadily escalated since the Critical Infrastructure Protection (CIP) Reliability Standards became effective in 2008. Those investments, and the increasingly strict CIP Reliability Standards, were intended to address fears that hackers could use the industrial control systems and other computer systems that control the electric system to cause a blackout. Until recently, that threat was hypothetical. Now, for the first time, public reports have emerged of hackers taking down part of an electric grid.

In late December 2015, hackers allegedly infected several of Ukraine’s power authorities, causing blackouts that lasted several hours and affected thousands of people. Ukrainian authorities confirmed that malicious software infected several control systems, which disabled those systems and resulted in a power outage. The malware, known to have been involved in attacks since 2007, was reportedly embedded in Microsoft Office documents and was retrofitted to include code targeting power stations and other critical infrastructure. Although the geopolitical circumstances in Ukraine are drastically different from those faced by electric utilities in the United States, the attack provides a “proof of concept,” demonstrating that it is possible for an attacker to cause a widespread blackout—the threat is no longer hypothetical.

The newly passed "highway bill" (Fixing America’s Surface Transportation Act) amends the Federal Power Act to incorporate new energy security provisions.

The provisions aim to strengthen the federal government’s authority over electric grid emergency response, facilitate coordination among federal agencies on reliability issues, enhance the protocols for protecting and sharing Critical Energy Infrastructure Information, and exempt utilities from environmental penalties when operating subject to Department of Energy emergency directives.

Please join us for a one-hour webinar about the new provisions and how they will likely affect electric utilities.

Topics will include:

  • An overview of the new provisions
  • The provisions’ background
  • The regulatory steps required

CLE credit: CLE credit in CA (1.0 hour), FL, IL, NJ (via reciprocity), NY, PA, TX, and VA is currently pending approval.

For more information, contact Mary Ann Huntington at +1.202.739.5622 or mhuntington@morganlewis.com.

Register here >>

If signed into law, measures would grant the DOE authority to order utilities to implement emergency protective actions.

Early yesterday morning, H.R. 22 (the Highway Bill) was amended on a voice vote to include an amendment (House Amendment 828) addressing critical energy security issues. Developed by Representative Fred Upton (R-MI) and sponsored by Representative Markwayne Mullin (R-OK), the amendment aims to strengthen the federal government’s authority over electric grid emergency response, facilitate coordination among federal agencies on reliability issues, and enhance the protocols for the protection and sharing of Critical Energy Infrastructure Information (CEII).

The amendment would authorize the Department of Energy (DOE) to order utilities, the North American Electric Reliability Corporation (NERC), or NERC Regional Entities to implement emergency security measures for up to 15 days at a time. Such orders would issue upon a written determination from the President identifying a grid security emergency, which could include malicious electronic or physical attacks or natural events (e.g., geomagnetic storm events) that could disrupt critical electronic devices or communications networks. The amendment provides for the DOE to reissue emergency orders for consecutive 15-day periods if each time the President finds that the emergency is continuing.

To streamline emergency response actions, the amendment would exempt utilities from penalties for violations of Federal Energy Regulatory Commission (FERC or Commission) orders and NERC Reliability Standards due to implementation of emergency security measures directed by the DOE. The amendment acknowledges that utilities may incur substantial costs while implementing emergency orders that may not otherwise be recoverable through existing regulated or market rates. To address this gap, the amendment’s cost-recovery provisions would direct the Commission to establish a separate mechanism that permits recovery of those emergency-related costs, subject to public notice and comment procedures.

If enacted, the bill would also amend section 202(c) of the Federal Power Act, 16 U.S.C. § 824a(c), to provide utilities with protection from environmental penalties while operating under an emergency order issued by the Commission. This would most likely apply in circumstances where DOE directs a generator to operate to ensure system reliability but that generator is required to reduce operations due to environmental limitations. Under existing law, the generator would be required to run but would simultaneously incur penalties for operating in violation of the environmental laws.  

The amendment also aims to strengthen existing CEII protections. Mandatory disclosures of CEII information under the Freedom of Information Act or other federal and state mandatory disclosure requirements would be prohibited. Additionally, the amendment requires the Commission to segregate CEII and non-CEII within the agency and to require sanctions for knowing and willful disclosure of CEII by Commissioners, officers, employees, or agents of FERC.

Not all of the amendment’s provisions seek to unconditionally limit access to information. For example, federal agencies would be allowed to provide temporary access to classified information to entities subject to emergency grid security measures. The amendment also encourages the voluntary sharing of CEII (e.g., between federal and state authorities or between the Commission and cross-border authorities). Additionally, CEII designations by the Commission would last no longer than five years (unless redesignated) and would also be subject to judicial review.

Last, the amendment addresses the reliability risks posed by the unexpected loss of large power transformers. The amendment would require the DOE, FERC, NERC, and electrical infrastructure operators to develop a plan for storing spare large power transformers and emergency mobile substations that can be quickly deployed to temporarily replace damaged large power transformers and substations that serve grid-critical functions. The plan would need to determine, among other things, the number of spare transformers and mobile substations necessary to restore grid resiliency following an outage, the optimal locations of storage facilities, the relative ease and speed of deploying spare transformers and mobile substations, and the cost of implementing such a plan.

Read House Amendment 828.