Electric Reliability Update - December 5, 2013

December 5, 2013

FERC

Chairman Wellinghoff Steps Down; Commissioner LaFleur Becomes Acting Chairman November 25 – At the November 21 FERC meeting, Chairman John Wellinghoff announced his resignation.  On November 25, President Barack Obama appointed Commissioner Cheryl LaFleur Acting Chairman.  The decision leaves four FERC commissioners until such time as a fifth is nominated and confirmed; the President could either seek to have the new member appointed as Chairman, or seek to make Acting Chairman LaFleur the formal Chairman.

Final Rule on Critical Infrastructure Protection December 3 - FERC issued Order No. 791, a final rule accepting in part and rejecting in part NERC’s proposed Version 5 Critical Infrastructure Protection (CIP) reliability standards.   FERC rejected NERC’s proposed language requiring enitities to “identify, assess, and correct” violations due to concerns about whether the standard was sufficiently clear to be enforced.  FERC  left open the possibility that NERC could propose other ways to lessen the enforcement burden for entities with strong internal controls in future iterations of the standards.  The new CIP standards will require major changes for registered entities.  For example, entities will need to classify cyber assets and systems into “low,” “medium,” and “high” impact categories based on the potential for each asset or system to affect grid reliability if compromised by a hacker or cyber terrorist.  The expansion of requirements for low-impact systems and assets will be a time-intensive task.  The new CIP standards will replace the currently effective CIP Version 3 standards on January 1, 2016; CIP Version 4, which FERC approved last year, will be retired without taking effect. 

Commissioner LaFleur issued a statement supporting the changes NERC is undergoing in an effort to revamp its reliability standards and enforcement programs, but cautioned that, for NERC to be successful, future standards must be “clear, enforceable, and technically justified.”

NERC also posted a response to FERC’s actions on multiple reliability orders, stating its approval and indicating that it will work to implement the changes sought by the Commission.

34 Reliability Standard Requirements and 41 Reliability Directives to be Retired.  November 21 – FERC issued Order No. 788 approving the retirement of 34 requirements within 19 reliability standards on the grounds that the requirements provide little protection to the Bulk Power-System or are redundant with other standards.  The retirements, which are effectively immediately, are the result of NERC’s “Paragraph 81 project,” undertaken in response to a FERC request that NERC identify requirements that could be retired.  In the order, FERC also withdrew 41 reliability directives to NERC that it found to be stale, non-specific in nature, or redundant.  The changes will take effect on January 20, 2014, 45 days after publication in the Federal Register.

FERC Approves WECC Contingency Reserve Standard November 21 – FERC issued Order No. 789, approving WECC’s proposed contingency reserve requirements for balancing authorities within its footprint (WECC Reliability Standard BAL-002-WECC-2).  The new regional standard responds to FERC concerns and includes new methodology for calculating minimum contingency reserves, expands the categories of resources that can qualify as spinning reserves, and clarifies terminology.  The new standard will take effect on October 1, 2014, the first day of the third quarter after the Order takes effect.

FERC NOPR Remands TOP Reliability Standards November 21 – Citing concerns about reliability impacts, FERC issued a notice of proposed rulemaking (NOPR) that remands some of NERC’s proposed revisions to the Transmission Operations (TOP) and Interconnection Reliability Operations and Coordination (IRO) standards.    Among its concerns, FERC highlighted the proposed change that would not require transmission operators to plan and operate within all System Operating Limits (SOLs), including non-Interconnection Reliability Operating Limit (non-IROL) SOLs.  Failure to operate within non-IROL SOLs was a factor in causing both the Northeast Blackout of 2003 and the Southwest Outage Blackout of 2011, FERC said.  FERC proposes to remand both standards to NERC for consideration of changes.  FERC also proposed to approve separate proposed revisions to Reliability Standard TOP-006-3 that address monitoring and notification obligations of reliability coordinators, balancing authorities and transmission operators.  Comments on the Proposed Rule are due by February 3, 2014.

FERC Issues Annual Enforcement Report November 21 – FERC issued its 2013 Report on Enforcement.  Among the FERC enforcement actions in FY2013, the Division of Audits and Accounting conducted audits of NERC, each of the Regional Entities, and three Registered Entities; FERC approved three settlements resolving violations of reliability standards, opened eight investigations involving reliability standards, and closed one investigation involving reliability standards without action; FERC received 45 full Notices of Penalty (NOP) from NERC encompassing 520 possible or confirmed violations (375 of which involved the Critical Infrastructure Protection (CIP) reliability standards), and 12 Spreadsheet NOPs  encompassing 575 possible or confirmed minimal or moderate risk violations; and  NERC also filed or posted 796 possible violations in Find, Fix, and Track (FFT) reports (456 of which were CIP-related).  The NOPs and Spreadsheet NOPs collectively proposed $8.6 million in penalties, all of which FERC declined to review. 

NERC

NERC Enforcement Actions November 27 – NERC filed with FERC four Notices of Penalty in individual dockets, as well as a Spreadsheet Notice of Penalty addressing 28 violations of 12 standards.

NERC Comments on Proposed Update to Generator Verification Reliability Standards November 25 – NERC filed comments supporting FERC’s proposed approval of revised reliability standards for generator data reporting, verification, and modeling to support reliable system planning.  NERC answers questions in the NOPR about the applicability thresholds in the new standards and the meaning of provisions to allow transmission planners to require generators to provide model reviews when “technically justified.”

NERC Compliance Filing on Timeframe to Restore Power to Auxiliary Power Systems of Nuclear Plants Following a Blackout  November 26 – As required by Paragraph 629 of FERC Order No. 693, NERC submitted a quarterly compliance filing regarding the timeframe to restore power to the auxiliary power systems of U.S. nuclear power plants following a blackout.

NERC Budget Compliance Filing November 22 – NERC submitted a compliance filing to FERC pursuant to FERC’s November 1, 2013 Order approving the 2014 Business Plans and Budgets of NERC and the Regional Entities. The filing explains how NERC will allocate $3.8 million relating to its office leases consistent with its Working Capital and Operating Reserve Policy.

CYBERSECURITY DEVELOPMENTS

Technical Analysis of Stuxnet Released – Ralph Langner has released a new Technical Analysis of the Stuxnet malware that was successfully deployed against the Iranian nuclear program.  The new report assesses Stuxnet’s two different attack routines and finds that while Stuxnet may not be easy to replicated to attack U.S. critical infrastructure, it will likely influence the design of future cyberattacks.

White House Report Identifies Opportunities for Strengthening Cybersecurity November 22 – The President’s Council of Advisors on Science and Technology issued a report to President Obamaentitled Immediate Opportunities for Strengthening the Nation’s Cybersecurity.  The report found that the federal government rarely follows accepted best practices for cybersecurity, and recommends specific improvements.  The report also identifies opportunities to use existing regulatory authority to promote cybersecurity in the private sector.  Speaking separately on November 19, Suzanne Spaulding, the Acting Undersecretary for National Protection and Programs at the Department of Homeland Security, voiced support for limiting private-sector liability for sharing information relevant to cybersecurity.

ICS-CERT Provides Follow-Up Advisory Regarding DNP3 Vulnerability November 21 –To further address the vulnerability in SCADA and industrial control systems (ICS) in the DNP3 protocol, ICS-CERT issued an an updated advisory, which highlights the vendors producing patches or upgrades to mitigate the original, reported vulnerability.  For additional coverage, see VNF’s October 25th issue of the Reliability Update. 

###
The Van Ness Feldman Electric Reliability Update is published by Andrew ArtMalcolm McLellan and Gabe Tabak, with assistance from Christopher ZentzThomas HuttonIlan Gutherz, and Van Smith.  Van Ness Feldman counsels, advises and trains a wide range of clients on reliability matters.  Please email us for additional information.