FERC on Thursday denied a petition from the Secure-the-Grid Coalition calling for new reliability standards to meet the growing threat of physical violence against the electric grid, saying the proposal was unnecessary in light of other work serving the same goal (EL23-69).
The coalition filed its petition in May, after NERC submitted a report on potential changes to CIP-014-3 (physical security) to the commission. (See NERC Says Changes Coming to Physical Security Standards.) FERC had ordered the report in response to physical security incidents last year, primarily the Dec. 3 gunfire attack on two substations in North Carolina that left 45,000 customers without power for as long as four days.
The commission had asked NERC whether the assessments that CIP-014-3 required of transmission owners (TO) to evaluate the vulnerability of their facilities were adequate to identify facilities in need of strengthening. In its report, the ERO said this was the case, and that expanding the criteria for TOs to check would not identify any additional critical facilities.
Secure-the-Grid felt the response was not sufficient and urged the commission to order NERC to revise the standard. Its petition argued that the standard should “require industry to establish new metrics for risk assessments” beyond the frequency and consequence of attacks. Suggested metrics included “known vulnerabilities, attacker capabilities and attacker intentions.”
The coalition also pointed out that the applicability of CIP-014-3 is determined by definitions of the grid and critical assets in CIP-002-5.1a (cyber security — BES cyber system categorization). Therefore, Secure-the-Grid argued, those definitions must be expanded, requiring revisions to the latter standard as well.
ERO Says Needed Work Already Underway
NERC and several electric industry trade groups pushed back hard on the coalition’s claims last month in separate filings. (See NERC, Trade Groups Oppose Call for Quick Fix on CIP Standards.) The ERO said it plans to review CIP-014-3, both in an Aug. 10 joint technical conference with FERC and two standards development projects, one of which will also examine CIP-002-5.1a. A new directive from FERC would only interfere with these efforts, which are the “appropriate public processes” for considering the coalition’s concerns, NERC said.
The American Public Power Association, Edison Electric Institute, Large Public Power Council, National Rural Electric Cooperative Association and Transmission Access Policy Study Group raised similar concerns with Secure-the-Grid’s petition. They added that the coalition’s sole justification for calling for revisions to the standards was the growing frequency of physical security incidents on the grid, but said the group failed to prove that a new or revised standard was an appropriate response.
In its decision Thursday, FERC agreed with NERC that the joint conference and standards projects “provide the appropriate forums for addressing the petitioner’s concerns.” While the commission acknowledged Secure-the-Grid’s concerns and said that “the physical security of the [grid] is of paramount importance,” it also said the work already underway is “adequate” for addressing the grid’s physical security needs.
FERC Clarifies Cyber Incentives
The commission also provided clarification on an order it issued earlier this year establishing financial incentives for voluntary cybersecurity investments by electric utilities, fulfilling a request submitted by NRECA (RM22-19).
NRECA filed a request for clarification or rehearing of FERC Order 893 in May. The trade group took issue with the part of FERC’s final rule providing that utilities may qualify for incentives through investments needed to establish compliance with NERC’s Critical Infrastructure Protection (CIP) standards that are not yet enforceable. (See FERC Issues Cyber Incentives Order.)
Specifically, NRECA claimed that the term “effective date” appeared in FERC’s order referring to both the date that the commission issues an order approving a new standard and the date that the standard becomes enforceable. It asked that the commission clarify whether a utility:
-
- Must demonstrate full compliance with the relevant CIP standard to be eligible for the incentive;
- May receive the incentive for investments made before the date NERC submits a proposed standard to the commission or the date FERC issues an order approving the standard; and
- Faces any requirement concerning how long before the effective date of the standard an investment must be made in order to qualify for the incentive.
FERC explained in its response that the new rule requires utilities to demonstrate that they will make their investments after the effective date of approval of the appropriate standard, but before its enforceable date. It said that a utility attempting to claim the incentive “must achieve compliance” with the standard to satisfy the requirement.
In addition, FERC affirmed that the only time requirement regarding the cyber incentives was that the investments be made after the approval of the standard and before its effective date, meaning there is no minimum time requirement before the effective date for investments to qualify for the incentive.
NRECA also asked FERC to clarify whether utilities that sell energy, capacity or ancillary services at market-based rates may also sell at separate cost-based rates that account for the cybersecurity investment incentives. The commission said its order “does not preclude” such sales.