Results tagged “NERC” from GTH Energy & Natural Resources Law Blog

Who Holds the Almighty and Powerful Ring? 13 Steps for Utility Cyber Security Protection

May 13, 2014

We are happy to announce that Eric Christensen and Maj. Gen. (Ret.) Tim Lowenberg of GTH-Governmental Affairs have published the cover story in the May 2014 Northwest Public Power Association Bulletin. Here is a link to the article on the NWPPA's website. The text of the article follows:

Cover Story
Who Holds the Almighty and Powerful Ring in the Cyber World?
Thirteen Steps for Utility Cybersecurity Protection

Eric Christensen, Partner
Gordon Thomas Honeywell


Maj. Gen. (Ret.) Tim Lowenberg, Vice President
Gordon Thomas Honeywell Governmental Affairs

While computer and internet technology create enormous benefits for twenty-first century utilities, they also expose utilities to new and sinister cyber threats. For utility managers, entering the cyber world can feel like entering J.R.R. Tolkien's "Middle Earth", a strange land filled with treacherous creatures like orcs, ring-wraiths, and wargs. Like Middle Earth, the cyber world is inhabited by peculiar and threatening forces ranging from amateur hackers to organized criminal enterprises searching for valuable financial information to politically motivated actors and nation-states capable of using malicious computer codes as weapons systems. And like Gollum, the hobbit twisted beyond all recognition by the power of the One Ring, threats in the cyber world often go undetected, arise from nebulous but nefarious motives and can unleash powerful, destructive effects beyond all expectation.

In light of the near-universal consensus among defense analysts, policy makers and computer experts that the electric utility sector is among the most vulnerable of sectors to cyber-attacks, how should utility managers address these threats? We recommend the following thirteen steps that all utilities, regardless of size, should take to mitigate risk in the complex and ever changing world of cyber-security.

Step 1: NIST Cybersecurity Framework
On February 12, 2014, the National Institute of Standards and Technology ("NIST") released the first version of its Framework for Improving Critical Infrastructure Cybersecurity. The Framework, issued in response to President Obama's Executive Order No. 13636, is intended to create common, voluntary industry standards and best practices for addressing cyber-security threats. The Framework provides a standardized approach for identifying cyber-security threats and protecting organizations against those threats through technological fixes and education of management and front-line operators. While the Framework is an ongoing and evolving document, it is a useful starting point for developing a cyber security strategy. The steps we recommend here are consistent with the NIST Framework.

Step 2: NERC CIP Standards
Because they are mandatory and violations can lead to substantial penalties, NERC Reliability Standards are, of course, of primary concern to electric utilities. NERC's Critical Infrastructure Protection ("CIP") standards define utility obligations to address threats in the cyber-security realm and should therefore be a prime focus of every utility. After a long period of flux, the Federal Energy Regulatory Commission ("FERC") in November 2013 adopted Version 5 of the CIP standards, with certain reservations. Utilities with "High and Medium Impact" assets (as defined in NERC's "BES Cyber Asset" definition) must come into compliance with Version 5 by April 2016 and those with "Low Impact" assets must come into compliance by April 2017. Utility managers should therefore pay careful attention to these standards, as well as refinements to the standards now under development in response to FERC's November 2013 order. In addition, NERC is conducting a pilot program with results due in the near future that should provide useful information for utility compliance managers.

Utility managers should also pay close attention to physical security standards. In reaction to damage caused by a sophisticated physical attack on the Metcalf Substation in California's Silicon Valley, FERC on March 7 ordered NERC to develop standards to secure key electrical facilities against physical attack. Compliance with these standards could be extremely expensive. In raising this concern, FERC Commissioner John Norris recently noted that just three utilities reported to him they may have to spend more than $500 million for physical security enhancements in the wake of the Metcalf incident. As is also obvious, under-reaction could prove even more costly for the utility and for our national security.

Step 3: Develop a Cyber-Security Strategy
In compliance with the NIST Framework and CIP standards, utility management should develop a cyber-security strategy that identifies cyber-risks, provides clear guidance and training to utility employees to effectively address those risks, and ensures the strategy is carried out and documented through continuous feedback to utility managers. As discussed below, it is important that the strategy include coordination with affected municipal and state governments, first responders, and Federal Information Sharing and Analysis Centers ("ISACs").

Step 4: CEO Briefings
The Cyber-Security Strategy developed in Step 3 should include a requirement for regular briefings of the utility's chief executive officer and relevant senior management by cyber security personnel, including updates on newly-identified cyber threats, progress in implementing CIP standards and other mitigation measures, and adaptations to the Strategy to address new threats, vulnerabilities and emerging challenges. Such briefings demonstrate the importance of cyber-security to the rest of the organization and ensure senior management is aware of cyber-related issues. Full awareness of cyber threats should, in turn, help assure the organization is devoting adequate resources to addressing those threats, and build the "culture of compliance" NERC looks for in assessing adherence to Reliability Standards.

Step 5: Legal Review of IT Contracts
The utility should conduct a legal review of its IT equipment and services contracts to ensure compliance with CIP standards, the Security Development Lifecyle guidelines discussed below, the utility's internal Cyber-Security Strategy, and other relevant requirements.

Step 6: Review IT Procurement
The utility should also ensure it is procuring computer software and hardware in a "secure" manner in conformity with Security Development Lifecycle ("SDL") processes and other best practices. Such procurement practices guard against incorporation or introduction of unsafe equipment and malicious software into the utility's computer systems.

Step 7: Procurement Staff Training
Consistent with Steps 5 and 6, the utility's procurement and acquisition staff, as well as its IT security staff, should receive training on SDL and other requirements relevant to IT acquisition and should be given resources sufficient to ensure effective cyber security provisions are incorporated into all IT acquisition contracts.

Step 8: Verify Implementation of Cyber-Related Contract Requirements
To ensure the measures discussed in Steps 5 through 7 are properly implemented, the utility should review its contractual relationships with third party IT service providers to verify that security-related requirements of IT contracts are actually being carried out in conformity with contractual and industry standards. Substandard computer installations and non-conforming contract services can give hackers, cyber-criminals, and cyber-attackers access to critical computer-controlled infrastructure.

Step 9: Use Information Sharing and Analysis Centers ("ISACs")
ISACs (mentioned in Step 3 above) are sector-specific organizations developed voluntarily in cooperation with the Department of Homeland Security to facilitate detection and prevention of cyber-intrusions, vulnerability scanning, penetration testing, and training and education services. The Department of Homeland Security coordinates the flow of information to, from and among fifteen national ISACs. Utility managers and security officials should pay particular attention to ES-ISAC, the ISAC for the electricity sector. Information from other ISACs may also enhance awareness of cyber-threats as well as the tactics, techniques and procedures employed by nefarious actors. These collateral sources include the Multi-State ISAC, which provides cyber threat information and cyber response assistance to state and local governments including utility commissions; the Supply Chain ISAC, which focuses on threats identified in the acquisition/procurement process; the Water ISAC, which provides useful information for water utilities; the Nuclear Energy ISAC, which covers nuclear energy cyber issues; and the Financial Services ISAC, which has information helpful to protecting the financial information of utility customers as well as the utility's own financial information.

Step 10: Develop Disaster Recovery Plans
Most utilities have extensive business continuity and recovery plans that describe how the utility will deal with natural disasters such as earthquakes and major storms. Disaster preparedness also requires development of plans to assure the utility's recovery from a major cyber-attack or series of attacks. The threat of such attacks is so real that a cyber mitigation, response and recovery plan should be the subject of a separate, detailed Annex to the utility's continuity plan. NARUC's Cybersecurity for State Regulators 2.0 (February 2014) provides a comprehensive set of criteria and recommended actions (from a wide variety of sources) for utility commissions to use as assessment tools. These sources and others are helpful in developing an effective Cyber Annex to the utility continuity and recovery plan.

Step 11: Build a Relationship With Law Enforcement
Federal, state and local law enforcement agencies and some state military departments have important roles in identifying cyber intrusions, developing coordinated responses to such intrusions, apprehending or assisting in the apprehension of cyber criminals and recovering from major cyber incidents. Utilities should strive to build strong relationships with these agencies. To be effective, the utility must pre-identify the specific law enforcement officials it will contact in case of a suspected terrorist attack or cyber intrusion. The utility should go beyond the minimum requirement of compiling a contact list to create active, ongoing relationships with the law enforcement officials it will need to rely on in the event of a major cyber-attack.

Step 12: Practice Cyber Incident Responses
As with most utility functions, the adage "practice makes perfect" applies to cyber incident preparedness and cyber incident response. Fortunately, the Department of Homeland Security's "Cyber Storm" program offers excellent opportunities for utilities to participate in a realistic simulation of a major cyber-attack. The Cyber Storm exercise series provides an opportunity for more than 1,000 local entities to participate in a coordinated, week-long national cyber exercise, the results of which are used to develop other progressively challenging exercises and enhance the nation's cyber response systems. Washington utilities such as Snohomish County PUD played an active role in the 2013 Cyber Storm exercise. The next Cyber Storm exercise is scheduled for 2015.

Step 13: Support Your Local Emergency Response Plan
Finally, the utility should determine if its state government has developed a cyber response plan. If a plan exists, the utility at a minimum should become thoroughly familiar with it and, even more important, should offer to participate in the development and continuous testing and refinement of the plan.

The State of Washington, for example, leverages its "cyber security centers of excellence" and lessons learned from Cyber Storm exercises to integrate cyber security planning by state agencies ranging from the Washington Military Department (including its civilian State Emergency Operations Center and Air and Army National Guard cyber operations units) to the Office of the State Chief Information Officer, the Washington State Patrol, the Washington State Fusion Center, the Utilities and Transportation Commission, state universities, municipalities such as the City of Seattle, aerial and maritime port authorities and public utilities. These and other stakeholders, participating as members of a Washington State Cyber Integrated Project Team, have contributed to development, testing and refinement of a Washington State Cyber Incident Annex that is based on the National Cyber Incident Response Plan. The Washington Cyber Incident Annex includes provisions for convening a Cyber Unified Coordination Group to oversee cyber incident responses, which representatives from utilities and other critical infrastructure sectors that could be subject to cyber attack.

The conflict between good and evil in Middle Earth was finally resolved when Gollum, still madly clutching the One Ring, falls into the fire at the Cracks of Doom. With the malevolent force of the Ring destroyed, the forces of evil were shorn of their power and collapsed, allowing the hobbits and other peaceful residents of Middle Earth to return to normal life. The moment when the forces of evil in the cyber world will be shorn of their power is a long way off. Until that time comes, dealing with malevolent forces in the cyber domain will be an omnipresent and growing challenge. Because electric power is so critical to the functioning of our modern society, utilities are, willingly or not, thrust into the role of front-line players in the battle for control of cyberspace. The thirteen steps described above, if implemented, will help utilities protect their own assets, and help secure the nation against potentially crippling cyber attacks.

Eric Christensen Publishes Article on Reducing NERC-WECC Regulatory Burdens in February Northwest Public Power Association Bulletin

February 13, 2013

Eric Christensen published an article in this month's Northwest Public Power Bulletin entitled "Electric Reliability and the Bulk Electric System Definition: Next Steps for Reducing Regulatory Burdens." The article is a follow-on to the article he published in the November 2012 Bulletin concerning the development of the keystone "Bulk Electric System" definition. We've reprinted the new article here:


Eric Christensen, Partner
Gordon Thomas Honeywell

On December 20, the Federal Energy Regulatory Commission ("FERC") issued Order No. 773, adopting a new "Bulk Electric System" ("BES") definition. The BES definition is foundational to FERC's reliability regime because it defines the universe of facilities over which FERC can exercise its reliability authority. Order No. 773 also includes new procedural tools for public power utilities seeking to reduce their reliability compliance burdens. The order represents a major victory for public power, but, to obtain its full benefits, utilities should consider additional steps. This article outlines the major options now available.

As reported in the November 2012 Bulletin, Order No. 773 culminates two years of work by the NERC Standards Drafting Team, with strong participation of Western public power coordinated through NWPPA, to develop a rational and workable BES definition. The new definition, developed with what FERC Commissioner Lafleur describes as "creativity and care," initially defines facilities operating above 100-kV as BES, but then refines this "core definition" with "a thoughtful and nuanced list of specifically included and excluded facilities, and an exception process to add or remove specific facilities." The new BES definition is a huge improvement over the disastrous approach originally proposed by FERC. As Commissioner LeFleur observed, the BES definition "illustrates the success" of FERC's "new paradigm" for reliability standards development, which employs NERC's industry-centered process rather than "unduly prescriptive" FERC mandates, to find the most efficient and effective solutions for meeting reliability goals.


Under Order No. 773 and existing NERC rules, public power agencies now have several options for reducing reliability compliance burdens. Choosing the best options will depend on each utility's specific circumstances. The available procedures include:

1. Phase II of the BES Definition Standards Development Process.
As it developed the new BES definition, the Standards Drafting Team identified many issues that could not be resolved in the limited time allowed by FERC. These issues were deferred to Phase II of the standards drafting process, which is now underway. Phase II will examine several questions of great importance to public power and refine the BES definition accordingly. These questions include, for example, how the new definition will affect functional registrations, the technical justification for the 100-kV threshold in the "core" definition, the appropriate capacity thresholds for classifying generators as BES, and the points of demarcation between BES and non-BES facilities. Western public power agencies should focus as closely on Phase II as they did on Phase I, and NWPPA should continue its critical coordination function.

2. Petition for Deregistration.
Entities are responsible for complying with reliability standards based on their registration in one or more of fifteen NERC-defined functional categories, ranging from "Distribution Provider" to "Balancing Authority." In the West, the initial registration process generally assumed a very broad definition of the BES, with the result that many purely local distribution utilities were inappropriately registered as Transmission Owners, Transmission Operators, or under other functions that assume ownership of BES facilities. If the new BES definition means that a utility no longer owns or operates BES facilities, the utility can, on the strength of the new BES definition, file a Petition for Deregistration with WECC seeking to deregister from transmission-related functions (e.g., "Transmission Owner" and "Transmission Operator") .

3. Exceptions Process.
In addition to approving the BES definition, Order No. 773 approved a new "Exception Process," which allows utilities inappropriately categorized as BES under the definition to file an "Exception Request." If the utility can demonstrate, based on technical studies, that its facilities are "not necessary for the Reliable Operation of the interconnected bulk-power transmission system," NERC will reclassify the facilities as non-BES. If the utility successfully pursues an Exception Request, it may then be able to deregister from transmission-related functions. The Exception Process can also be used to demonstrate that specific utility-owned facilities are non-BES, thereby removing those facilities from the obligation to comply with BES-related reliability standards.

4. Petition for Declaration That A System is "Used for Local Distribution."
In the most surprising aspect of Order No. 773, FERC imposed a new procedure requiring owners of local distribution facilities to petition FERC directly if they believe their facilities are "used in the local distribution of electric energy," and are therefore excluded from the BES under Section 215(a)(1) of the Federal Power Act. In making this determination, FERC will focus on the function of the system, in contrast to the system's material reliability impacts that would be examined in an Exception process. FERC will use, among other factors, the "Seven Factor Test," developed in the 1990s to distinguish local distribution from transmission as traditional industry structures were changing. This procedure gives local distribution utilities a chance to escape BES classification even if they cannot do so under the BES definition or the Exception process. The procedural path is likely to be less time-consuming and expensive than the Exception process because utilities can petition FERC directly rather than having to go first to WECC and NERC, and the issues to be resolved by FERC are likely to be less technical and fact-intensive than in the Exception process.

5. Facility-Specific Notification to WECC.
In addition, Order No. 773 allows a utility to notify WECC if it determines that specific facilities it owns are no longer classified as BES under the new BES definition. The procedure is simple - nothing more than a notification is required. Reclassification in this manner could significantly reduce a utility's compliance burden because removing facilities from the BES will reduce or eliminate the obligation to comply with reliability standards applicable to BES owner/operators.

6. Standard-by-Standard Negotiation.
Following earlier FERC precedent, Order No. 773 FERC invites utilities to bargain with NERC for exemption from reliability standards that do not make sense in a utility's specific circumstances, which could substantially reduce compliance burdens. NWPPA could serve a valuable function in this regard by organizing a group of its members to analyze and develop a list of reliability standards that should not apply to specific types of utilities (i.e, full-requirements customers of Bonneville Power Administration, utilities with no scheduling function) and assist in helping members seek exemptions from unnecessary requirements.

7. Agreed Transfer of Responsibilities.
Finally, individual utilities may be able to transfer compliance obligations to other entities by agreement. NERC rules allow reliability obligations to be transferred to, for example, joint action agencies, G&T cooperatives, or other entities with appropriate functional registrations. A utility transferring compliance responsibilities in this way could deregister from specific functions, or even completely deregister. NWPPA could render assistance in this area by, for example, exploring whether economies of scale can be achieved by transferring compliance responsibilities to a joint entity or negotiating with Bonneville Power Administration to take responsibility for its customers' transmission-related compliance obligations.

After Order No. 773, public power managers interested in reducing the cost of reliability compliance can choose from a menu of options. In making this choice, managers will need to carefully evaluate the specific circumstances of their utility. But Order No. 773 substantially increases the chances that meaningful reductions in compliance obligations can be achieved by NWPPA members.

FERC Leaves a Sugarplum for Reliability Compliance, Adopts NERC "Bulk Electric System" Definition

December 22, 2012

While the Federal Energy Regulatory Commission at its December meeting put Bonneville Power Administration on the "naughty" list, it awarded the North American Electric Reliability Corporation's ("NERC") industry-led "Bulk Electric System" Standards Drafting Team a place on the "nice" list. On December 20, FERC issued Order No. 773, which adopts a new definition of "Bulk Electric System." The new definition is fundamental to FERC's electric reliability enforcement regime because FERC's mandatory enforcement authority is limited by statute to elements of the "Bulk Electric System." In addition, Order No. 773 adds a couple of stocking-stuffers for the industry in the form of new procedures for regulated entities seeking to reduce their compliance burdens by excluding systems or elements from the Bulk Electric System.

As we have previously explained in greater detail, for several years after Congress adopted a mandatory electric reliability requirement in 2005, FERC relied on the pre-existing definition of "Bulk Electric System," despite its ambiguity. In March, 2010, however, FERC reversed course, proposing a new definition of "Bulk Electric System" that would classify all elements rated at 100 kV or above as "Bulk Electric System" with very limited exceptions. FERC's unexpected move provoked a fierce backlash from all sectors of the industry. In response, FERC again changed course, this time ordering NERC to develop a new Bulk Electric System definition using the NERC standards development process.

In response, NERC formed the BES Standards Development Team which conducted a standards development process over the course of 2011. Utilities from across the country, including a large coalition of public power entities from the West, devoted a great deal of time and talent to developing a workable "Bulk Electric System" definition. These efforts culminated in a revised "Bulk Electric System" submitted by the Standards Drafting Team for approval by FERC in January of this year. The new definition starts with a 100-kV threshold, but adds several specific inclusions and exclusions. For example, exclusions for "Local Networks" and radial systems will cover most local distribution systems, allowing them to escape the considerably more burdensome reliability requirements that would apply if they are classified as part of the Bulk Electric System. The NERC proposal also includes an "Exceptions" process that allows case-by-case variations from the Bulk Electric System definition based upon system-specific technical information.

Continue reading "FERC Leaves a Sugarplum for Reliability Compliance, Adopts NERC "Bulk Electric System" Definition" »

Sun, Shrubs, Cyber-Spies: The Latest Developments in Electric Reliability Standards

October 19, 2012

What do the sun, growing trees, and cyber-terrorists have in common? One might think this question is the lead-in to a joke to by a comedian with a particularly bizarre sense of humor. It is in fact the latest list of subjects to be addressed in the electric reliability arena. At yesterday's monthly public meeting, the Federal Energy Regulatory Commission ("FERC") issued new orders directing action to improve management of vegetation, which can grow into and short out electric equipment, and to protect the nation's electric system from the geomagnetic anomalies than can arise from solar storms. Meanwhile, arguments about cyber-security threats continue to generate a lot of heat but not much light.

Let's address each of these topics in turn, starting with vegetation management. Managing trees and shrubs that grow around electric transmission and distribution lines is a constant concern of electric system managers because trees growing into power lines can cause them to short out. In fact, many of the major outages that have afflicted the North American electric grid can be traced back to major transmission lines that short out as a result of contact with untended vegetation. For example, the August 2003 blackout that left much of the eastern U.S. and Canada in darkness, and the 1996 outages that left much of the West Coast without power, can be traced back to transmission lines that contacted trees, leading to major cascading outages.

To address such concerns, FERC, in an order issued yesterday, proposes to accept the North American Electric Reliability Corporation's ("NERC") new vegetation management reliability standard, FAC-003-2, but with one important modification.

Continue reading "Sun, Shrubs, Cyber-Spies: The Latest Developments in Electric Reliability Standards" »