FERC Directs NERC to Propose Mandatory Reliability Standards Regarding Physical Security Risks to the Bulk-Power System

by Akin Gump Strauss Hauer & Feld LLP
Contact

On March 7, 2014, the Federal Energy Regulatory Commission (FERC) issued an order directing the North American Electric Reliability Corporation (NERC) to propose one or more Reliability Standards to require certain entities to “take steps or demonstrate that they have taken steps to address physical security risks and vulnerabilities related to the reliable operation of the Bulk-Power System.”  The FERC’s related news release is available here.  The proposed Reliability Standards are due by June 5, 2014, and will be subject to comment in a rulemaking proceeding.  The FERC also provided an opportunity for interested parties to be heard in the proceeding in which it issued the order, and set a deadline for notices of intervention or motions to intervene of March 28, 2014.

Three-Step Approach

The FERC did not impose a “one size fits all” approach to protecting physical security, but directed NERC to include in the Reliability Standards a three-step approach to addressing physical security risks.

Step One:  Risk Assessment and Identification of “Critical Facilities”

First, the FERC directed that the Reliability Standards “should require owners or operators of the Bulk-Power System to perform a risk assessment” to identify their “critical facilities,” i.e., those which, “if rendered inoperable or damaged, could have a critical impact on the operation of the interconnection through instability, uncontrolled separation or cascading failures.”  The FERC did not require a specific type of risk assessment, but stated that the methodologies used to determine “critical facilities” should be “based on objective analysis, technical expertise, and experienced judgment.”  In addition, the Reliability Standards “should allow owners or operators to consider resilience of the grid in the risk assessment when identifying critical facilities, and the elements that make up those facilities, such as transformers that typically require significant time to repair or replace.”

Step Two:  Threat and Vulnerability Evaluation

Second, the FERC directed that the Reliability Standards should require owners or operators of “critical facilities” to evaluate potential threats and vulnerabilities to those facilities based on factors such as location, size, function, existing protections, and “attractiveness as a target.”  Thus, the FERC stated, the Reliability Standards should require owners or operators to tailor their threat and vulnerability evaluation “to the unique characteristics of the identified critical facilities and the type of attacks that can be realistically contemplated.”

Step Three:  Security Plans

Third, the FERC directed that the Reliability Standards should require owners or operators of critical facilities to develop, validate, and implement security plans “designed to protect against attacks to those . . . facilities based on the assessment of the potential threats and vulnerabilities to their physical security.”  The Reliability Standards “need not dictate specific steps an entity must take to protect against attacks,” but must require owners and operators of critical facilities to have plan that provides “an adequate level of protection against the potential physical threats and vulnerabilities they face.”

Confidentiality, Independent and Periodic Review, and Implementation

Because of the sensitive nature of the information related to all three steps, the FERC also required NERC to include in the proposed Reliability Standards a procedure to “ensure confidential treatment of sensitive or confidential information but still allow for the [FERC], NERC and the Regional Entities to review and inspect any information that is needed to ensure compliance with the Reliability Standards.”

In addition, the FERC noted that the risk assessments, threat and vulnerability evaluations, and security plans should be independently reviewed by an entity other than the owner or operator, such as the FERC, NERC, a Regional Entity, Reliability Coordinator, or other entity with appropriate expertise, and that the proposed Reliability Standards should require that all three “be periodically reevaluated and revised to ensure their continued effectiveness.”

The FERC did not impose an implementation timeline for the Reliability Standards, but required NERC to “develop an implementation plan that requires owners or operators of the Bulk-Power System to implement the Reliability Standards in a timely fashion, balancing the importance of protecting the Bulk-Power System from harm while giving the owners or operators adequate time to meaningfully implement the requirements.”

Commissioner Norris’s Concurrence and Concerns

In a separate statement, Commissioner Norris expressed support for the order, but noted several areas of concern.  First, Commissioner Norris noted that the procedural approach the FERC selected, which, due to the its ex parte rules, will limit communication and engagement between industry and the FERC, as well as the “uniquely expedited nature” of the standards development process, could weaken that process.  To mitigate these issues, Commissioner Norris encouraged broad participation in the NERC standards development process and the forthcoming FERC rulemaking proceeding.  Commissioner Norris also cautioned parties to “be mindful of the Commission’s expectation that the number of critical facilities identified will be relatively small compared to the number of facilities that comprise the Bulk-Power System and [to] strive for balance between the measures related to physical security and the costs for consumers.”

Second, Commissioner Norris expressed his concern regarding the sensitivity of information regarding the physical vulnerabilities of the power grid and urged Congress to expeditiously create a clearly-defined Freedom of Information Act exemption to facilitate the exchange of information important to the Reliability Standards development process among industry, the FERC, and NERC without fear of disclosure.

Third, Commissioner Norris expressed his concern that recent efforts to protect reliability have focused too narrowly on physical security.  Instead, Commissioner Norris argued, equal focus on and dedication of resources to other threats, including cyber-attacks, geomagnetic disturbances, electromagnetic pulses, and natural disasters, are necessary.

Finally, Commissioner Norris cautioned against overreaction to the widely-reported April 2013 attack on PG&E’s Metcalf Substation, which has received significant attention in recent months from legislators and regulators (as we discussed in prior posts available here, here, and here).  Specifically, Commissioner Norris noted that he remains concerned that “recent momentum will result in the electricity sector potentially spending billions of dollars erecting physical barriers to protect our grid infrastructure,” with “most if not all of those costs . . . passed through to ratepayers.”  Instead, Commissioner Norris believes that “the more prudent approach is to focus on building a smarter and more agile grid, incorporating better communication and coordination, to mitigate against the multiple forms of risks that we face,” as well as to “more readily integrate intermittent resources, increase demand-side management capabilities, enhance the competitiveness of the wholesale energy market and more.”

Potential Implications

Ultimately, the effect of the FERC’s order will depend on the outcomes of the NERC standards development process and FERC rulemaking proceeding.  For owners and operators of facilities that are part of the Bulk-Power System that already have assessed the risks to and vulnerabilities of their critical facilities and implemented protective measures, the Reliability Standards, as ultimately adopted, might not require significant further action or costs.  For other entities, the costs of compliance with the new Reliability Standards could be significant.  Either way, because of the expedited timeline for NERC to develop and propose the standards, NERC-registered entities should be sure to voice their concerns in the NERC and FERC proceedings.

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Akin Gump Strauss Hauer & Feld LLP | Attorney Advertising

Written by:

Akin Gump Strauss Hauer & Feld LLP
Contact
more
less

Akin Gump Strauss Hauer & Feld LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.