The Federal Energy Regulatory Commission (FERC) and the North American Reliability Corporation (NERC) have released a comprehensive report that pins the 2011 Southern California blackout on inadequate planning and grid coordination. Last September, millions of people in Southern California, Arizona and Mexico's Baja California were left in darkness after an employee's work on a transmission line at an Arizona substation triggered a massive blackout. The report dives into the causes of this incident, areas effected and the timeline of the system collapse and restoration.
The report’s overall recommendation calls for an improvement of bulk power system operators’ situational awareness through improved communication, data sharing and the use of real-time tools. It lists 27 specific recommendations to that end, each addressing specific findings from the investigating team. The full report can be accessed at http://1.usa.gov/KoSCTy

The Federal Energy Regulatory Commission (FERC) has approved Version 4 of the Critical Infrastructure Protection (CIP) Reliability Standards submitted by the North American Electric Reliability Corporation (NERC). The currently-effective Version 3 CIP Reliability Standards. NERC had sent the CIP 4 standards over to FERC for approval back in February 2011, and FERC’s rulemaking on the same was initiated in September.
NERC CIP 4 presents significant changes in the way utilities identify critical assets and the means used to protect them. The main difference between Version 3 and Version 4 is a change in definition for “Critical Assets” (found in CIP-002-4). Specifically, Version 4 includes uniform “bright line” criteria for the identification of “Critical Assets,” which replace the “risk-based assessment methodology” developed and applied by individual responsible entities under Version 3.
NERC now has till March 31, 2013 to submit the next version of the CIP Reliability Standards, and Version 5 is still waiting approval by NERC. Discussions on NERC CIP 5 suggest that it is intended to finally address all of Order 706.

A proposal put forward by the North American Electric Reliability Corporation (NERC) to use a three-tier format informational filing to report possible violations of Reliability Standards has been approved by the Federal Energy Regulatory Commission (FERC). In an Order released yesterday, FERC set conditions related to NERC's "Fix, Find, Track and Report" (FFT) proposal intended to ensure that the minor violations dealt with under the program were handled properly. Minor violations are defined as minimal to moderate risk, and include administrative, documentation, and certain maintenance or testing program implementation failures. FERC will also survey a random sample of FFTs each year to determine how the program was working and to see if improvements to the program were needed. The full text of the Order can be viewed here.

Integration of smart grid devices, and other new and emerging technologies reliant on communications to control operations of the device pose a threat to the reliability of the electric grid, according to a new report released by the North American Electric Reliability Corporation (NERC). Providing a 10-year outlook on the North American electric industry, the new '2011 Long Term Reliability Assessment' report released by NERC evaluates key reliability indicators and dives into the impact of regulations and other issues on bulk power system reliability. The key issues discussed in the report were: the decrease in projected generation resources; the growing dependence on natural gas as a primary fuel source of on-peak capacity; the increased demand for integrating and delivering new resources and the subsequent growth of transmission; and the cumulative effect from environmental regulations may reduce reserve margins in ways that could affect bulk power system reliability, depending on the scope and timing of final regulation implementation. Read more »

The commission seeking greater authority over the cybersecurity of the nation’s electric grid has security problems of its own. A recently released audit of Federal Energy Regulatory Commission’s (FERC) unclassified cybersecurity program by the Inspector General (IG) of the Department of Energy (DOE) has revealed much room for improvement. While acknowledging that the commission has improved since DOE’s FY2010 evaluation, the audit cited continued weaknesses related to timely remediation of software vulnerabilities, and failure to implement FERC’s own Vulnerability Management Program (VMP) as the reasons for its findings. 

The audit stated that “specifically, we noted that 32 of 70 vulnerabilities we identified were rated "high risk" by the vendor and/or the National Vulnerability Database sponsored by the Department of Homeland Security's National Cyber Security Division.” Nine of the issues identified impacted a  significant number of the 45 servers and/or 236 workstations tested, and were primarily associated with third-party productivity and internet applications.  “All of the "high risk" vulnerabilities identified were more than 30 days old, including 18 that were missing patches more than 1 year old. Furthermore, we identified several instances where the Commission was using software that was no longer supported by the vendor.”

While FERC budgeted approximately $3.8 million during fiscal 2011 to secure its information technology assets, FERC cited “budget and resource constraints” as the reason for not following its own VMP. In addition, FERC said that some patches were not instituted because of adverse operational impacts. 

Source: FERC Press Release dated September 15, 2011

"In a long awaited regulatory action, the Federal Energy Regulatory Commission (FERC) took steps to support continued transmission system reliability by proposing revisions to eight critical infrastructure protection (CIP)reliability standards that include a new method of identifying cyber assets that are critical to the nation’s bulk power grid.

The North American Electric Reliability Corp. (NERC) voted to approve the newest version of the CIP standards some time ago, and the industry has been waiting for FERC's decision on whether the standards should be enacted.

If enacted, NERC CIP 4 would present significant changes in the way utilities identify critical assets and the means used to protect them. Utility security professionals should review the draft standards and begin considering changes needed to their procedures to comply with the new methodologies.

The notice of proposed rulemaking (NOPR) stressed that NERC has not addressed all the modifications directed by the Commission’s Order No. 706, which approved the original CIP standards in January 2008. The NOPR would require NERC to make a filing to fully comply with Order No. 706 by the end of the third quarter of 2012. Comments on the proposed rule (RM11-11) are due 60 days after publication in the Federal Register.

The proposed “Version 4” CIP standards are an interim step, FERC said in directing the electric industry and the North American Electric reliability Corp. (NERC) to continue developing a comprehensive approach to assure the grid can withstand a cyber security incident. NERC is the Commission-certified electric reliability organization responsible for developing and enforcing mandatory reliability standards."

The Federal Energy Regulatory Commission (FERC) issued its Order on Smart Grid Interoperability Standards,and it has concluded that there is "insufficient consensus" on the initial five families of standards that were sent by NIST for FERC adoption in accordance with the Energy Independence and Security Act of 2007.  Furthermore, the FERC encouraged stakeholders to actively participate in the NIST interoperability framework process to develop standards for interoperability and to refer to that process for guidance on smart grid standards.  Finally, FERC terminated its proceeding in docket RM11-2-000.

In reaching its conclusion not to institute a rulemaking proceeding to adopt the standards, the Commission agreed with comments that registered concerns about cyber security deficiencies and potential unintended consequences from premature adoption of individual standards.  The Commission did express its support for the NIST process and did encourage active participation by stakeholders, citing planned improvements to the NIST process including "an enhanced SGIP role in reviewing existing as well as new smart grid interoperability standards, the establishment of a preliminary testing process, the establishment of a process to identify cyber security design principles, and efforts to better address reliability and implementation concerns within the SGIP process."

For more information, contact the UTC Legal/Regulatory Department. 

Earlier today, the Senate Energy and Natural Resources unanimously approved the "Grid Cyber Security Act", a somewhat amended version of the bill it approved last session but was never brought to the Senate floor for a vote.  The bill now goes to Senate Majority Leader Harry Reid, who may opt to fold it into a more comprehensive cybersecurity bill he hopes to bring to the Floor later this summer. 

Meanwhile, the House Subcommittee on Energy and Power of the Energy and Commerce Committee plans a hearing next Tuesday, May 31, on its own version of the bill whose language is based on the GRID Act passed unanimously last year by the House.

Under the provisions of the Senate bill, FERC jurisdiction would be expanded to include distribution in addition to generation and transmission systems and assets deemed "critical electric infrastructure [CEI]," defned as "so vital to the United States that the incapacity or destruction of the systems and assets would have a debilitating impact on national security, national economic security, or national public health or safety."

Within 120 days of enactment, FERC is directed to review current standards to determine their adequacy to mitigate cyber vulnerabilities.  Due in part to criticisms that the NERC CIP standards setting process is too slow, the bill would impose a 180 day deadline for NERC to propose revisions to those standards that FERC finds wanting, or develop a new standard to address new vulnerabilities identified by FERC.  Reasonable time extensions will be granted, but the bill is silent on penalities if the deadline is not met. Read more »

One of the biggest challenges facing the deployment of smart grids is inadequate consumer education, which is in some cases is worsened by "over-hyping" the benefits of the smart grid. This general consensus came from UTC Smart Grid Policy Summit, a two-day conference held this week in Washington, DC that featured panel discussions with key policy makers, regulators, utilities and industry associations. While the panels debated issues such as the role of state vs. federal regulators in setting smart grid policy and the pressures of cost-recovery, many of the panels often returned to the need for consumer awareness and trust. Opening Keynote Speaker, Joe Rigby, CEO and Chairman of PEPCO, addressed this concern by discussing his utility's successful pilot programs that were implemented in collaboration with state regulators and consumer groups and showed that consumers do respond positively to dynamic pricing. However, he did note that duplicating the results of a pilot in a larger territory roll-out was not easy. Read more »

Comments on the FERC Technical Conference on the 5 Families of Standards Posted by NIST for Consideration by Regulators

FERC held a technical conference on Monday, January 31, to obtain further information to aid the Commission’s determination of whether there is “sufficient consensus” that the five families of standards posted by NIST and included in this proceeding are ready for Commission consideration in a rulemaking proceeding, as directed by section 1305(d) of the Energy Independence and Security Act of 2007. FERC is now seeking comments on the conference and the five standards and information on how to do that appears below. Read more »