On March 28, 2013, the Federal Energy Regulatory Commission (FERC) issued an order approving a stipulation and consent agreement between FERC’s Office of Enforcement (OE) and Entergy Services, Inc. (Entergy) to settle violations of various North American Electric Reliability Corporation (NERC) Reliability Standards. Although the basic terms of this settlement are largely unremarkable, there are unique aspects of this case to note.
To recap briefly the settlement’s basic terms, OE found after an investigation into Entergy’s compliance with the Reliability Standards that Entergy violated 27 requirements of 15 Reliability Standards. Specifically, OE alleged that:
Entergy did not account for protection system maintenance outages in its long term planning studies, and it allowed field technicians to disable protection systems without conducting prior operational planning studies.
Entergy did not have a facilities rating methodology for all of its transmission facilities, but instead relied on “vintage” line ratings for lines built before 1994 and put into service before the independent operating companies were consolidated into Entergy.
Entergy did not have a formal system operator training for its transmission operations center (TOC) staff.
Entergy failed to maintain accurate models for its operations and operational planning because it failed to update its models to reflect certain transmission lines placed in service or to account for auxiliary loads at its nuclear generation sites.
As evidenced in a number of communications outages affecting Entergy’s operations, Entergy failed to have required redundancy in its communications systems and backup power supplies, and it failed to adequately test for, plan for and respond to these communications outages.
The settlement provides that Entergy neither admits nor denies these violations, but Entergy agreed to pay a civil penalty of $975,000 and to undertake various activities to mitigate the alleged violations. Such activities included revamping its protection system maintenance process; adopting a new facilities rating methodology and undertaking costly Light Detection and Ranging (LiDAR) studies of all 13,669 miles of its transmission lines operated at or above 100kv; clarifying the role of its TOC staff and implementing a formal training and certification program for them; and strengthening its communications infrastructure and procedures related to communications outages. Entergy will also be obligated for the next year to make semiannual reports on its progress on these mitigation measures, investments to improve reliability and any additional violations that may occur. The settlement also provides that OE may extend this reporting requirement for another year.
FERC’s Independent Enforcement of NERC Reliability Standards
Although OE’s findings (taken at face value) and the civil penalty do not appear to be unusual at first blush, this case is unique in that it is the first time FERC has independently assessed a civil penalty for Reliability Standards violations without direct involvement by NERC or its regional entities. Unlike other civil penalty assessments for reliability standards violations, which have all previously arisen out of a joint investigation by FERC and NERC staffs and which have resulted in settlements among the registered entity, FERC, and NERC, this settlement only involved OE and Entergy and contains no reference to NERC’s participation or that of NERC’s regional entity with compliance enforcement authority over Entergy (SERC Reliability Corporation).
As reflected in FERC’s order approving this settlement, this case arose out of an investigation that was prompted by a referral by FERC audit staff after a 2009 audit of Entergy’s compliance with its open access transmission tariff and the Reliability Standards. The audit was initiated by FERC staff, independently of NERC and SERC, and while NERC and SERC staff may have been invited to observe FERC’s audit, the 2010 audit report gives no information about the level of involvement NERC and SERC may have had in the findings and recommendations contained in that audit report.
Looking back at the 2010 Audit Report, there was no indication that FERC would pursue this present enforcement action. The 2010 Audit Report included two findings by the FERC staff with respect to reliability (concerning planning for and operation during single-contingency events), and it offered three recommendations related to those finding. However, the 2010 Audit Report made no reference to any possible violations, nor did it disclose the intent of FERC audit staff to refer the case to FERC’s investigators.
From a process and timing standpoint, FERC’s audits of compliance with Reliability Standards are very different from audits conducted by NERC and its regional entities. NERC and the regional entities typically conclude their audits and begin processing enforcement matters for any possible violations identified in those audits within a weeks of the commencement of the audit. In contrast, FERC’s audit of Entergy took a little over a year to conclude, and the conclusion of the FERC audit did not finalize FERC’s review of Entergy’s compliance or give a complete picture of that Entergy’s exposure to civil penalties. In fact, even with the audit in 2009 and this settlement in 2013, there is no indication whether NERC and SERC will conduct further investigation or enforcement actions against Entergy for this time period.
To date, FERC staff’s auditing of compliance with Reliability Standards independent of NERC and the regional entities has been relatively rare. FERC staff has issued notices in 2011 for three other audits: PJM, Salt River Project, and Bonneville Power Administration. Of these, only the PJM audit has reached the stage of an audit report, which FERC approved in November 2012. Like Entergy’s audit report, the PJM audit report identifies no specific Reliability Standards violations, and it only provides 28 “recommendations” in eight “areas in which PJM could improve performance” (related to cybersecurity, accuracy of operational models, and PJM’s contingency plan) and three “areas of interest” (related to PJM’s establishment of system operating limits and interconnection reliability operating limits and to PJM’s role as transmission operator). If Entergy’s experience is an indication of how FERC will proceed in similar cases, PJM may soon be or may currently be subject to an investigation that could lead to findings of Reliability Standards violations and civil penalties.
Aside from the process by which FERC audited Entergy and ultimately settled this case, the $975,000 civil penalty is worth some discussion. Compared to the $25 million civil penalty levied against Florida Power and Light and the $3.9 million civil penalty against PacifiCorp, Entergy’s civil penalty is the lowest FERC has assessed against an investor owned utility for Reliability Standards violations. This may be a function of the fact that Entergy’s investigation was initiated by a referral from an audit and was not initiated as a result of a loss of load event, like the ones that prompted the Florida Power and Light and PacifiCorp investigations.
Still, Entergy’s civil penalty is higher than the highest penalty NERC and its regional entities have ever assessed independently of FERC. In December 2012, FERC approved a $950,000 settlement between SERC and an “unidentified registered entity” for several violations related to the Reliability Standards governing cybersecurity.
FERC’s order approving the settlement provides little guidance as to how OE and Entergy arrived at the stipulated civil penalty. In a single paragraph, FERC stated:
The civil penalty amount is consistent with the Penalty Guidelines. Enforcement considered that, given the size and complexity of Entergy’s system, its violations posed a high risk that it would be unable to prevent, contain, or control a disturbance that could lead to substantial harm. Entergy also has a history of past violations of the Reliability Standards, including violations of the BAL- and FAC- Reliability Standards. The civil penalty amount reflects credit for Entergy’s full cooperation during the course of the investigation as well as a credit for avoiding a trial-type hearing.
Other than generally citing to risk, compliance history, cooperation and the fact that OE and Entergy reached a settlement, FERC does not provide any guidance as to how it applied the various formulas in its Penalty Guidelines, how much discretion FERC staff exercised in weighing the aggravating and mitigating factors in this case, or ultimately how these factors translated to a $975,000 civil penalty. There is also little guidance on how FERC will determine civil penalty amounts in future enforcement actions related to noncompliance with Reliability Standards.
Other Items of Note
There are two other items of note about the Entergy settlement. The first is that the settlement explicitly calls out a cybersecurity violation. FERC staff found that Entergy violated Reliability Standard CIP-007-1 R1 because Entergy failed to test a firmware upgrade for a network switch prior to applying it in the production environment and because Entergy could not assess whether significant configuration changes to critical cyber assets would compromise its cybersecurity controls or those assets. Stating this finding in the public settlement departs from FERC’s and NERC’s typical practice of masking the identity of entities who have committed cybersecurity violations. The rationale for this practice is that public disclosure of information about cybersecurity violations could identify to the public (and potential cyber terrorists) weaknesses in the industry’s cybersecurity protections. Although FERC has departed from this practice once before (in a case involving questions about FERC’s jurisdiction to assess a penalty against a federal entity for cybersecurity violations), FERC does not explain why it chose to disclose this particular cybersecurity violation or why the security concerns related to this particular disclosure are minimal.
Finally, Entergy’s reporting obligations under the settlement are notable because they go beyond reporting on Entergy’s compliance with the terms of the settlement and progress in mitigating the alleged violations. Paragraph 44 of the stipulation and consent agreement specifically includes an obligation to report “any additional violations of Reliability Standards that have occurred and whether and how Entergy has addressed those new violations.” Although this a mandatory self-reporting provision is common in settlements of FERC investigations, it raises significant issues in this context given the breadth of obligations under the Reliability Standards. While entities should provide complete and accurate reports about their implementation of stipulations and consent agreements (including reports on whether they have identified violations in the course of such implementation), there is a question as to whether an entity should be required to self-report “any” Reliability Standard violation. The settlement offers no guidance as to how certain Entergy must be about whether a new violation has occurred before it must self-report that new violation. Also given that the settlement requires such self-reporting, there is a question whether the Entergy would be accorded self-reporting credit in any future penalty assessments that may result from such self-report.© 2013 Schiff Hardin LLP