July 12, 2020

Volume X, Number 194

July 10, 2020

Subscribe to Latest Legal News and Analysis

July 09, 2020

Subscribe to Latest Legal News and Analysis

FERC Announces Potential Changes to Critical Infrastructure Protection (CIP) Standards for Cybersecurity of the Bulk Electric System (BES)

On June 18, 2020, the Federal Energy Regulatory Commission (FERC, or the Commission) issued a Notice of Inquiry (NOI) to seek comment on whether the currently effective Critical Infrastructure Protection (CIP) Reliability Standards for the Bulk Electric System (BES) adequately address (i) cybersecurity risks pertaining to data security, (ii) detection of “anomalies” and “events,” and (iii) mitigation of cybersecurity events. FERC also seeks comment on the potential risk of a coordinated cyberattack on geographically distributed targets and whether modifications to the CIP Reliability standards would be appropriate to address such a risk.

The NOI is part of a growing trend of recent federal action on the cybersecurity of the grid, including President Trump’s Executive Order on BES equipment sourced from “foreign adversary” countries, as discussed in an earlier GT Alert. FERC’s ultimate decision will be binding upon the entities that own cyber and physical assets affected by any new CIP Reliability Standards.

Specifically, FERC staff reviewed the National Institute of Standards and Technology (NIST) Cyber Security Framework (NIST Framework)1 and compared it with the substance of the CIP Reliability Standards to identify certain topics in the NIST Framework that may not be adequately addressed in the CIP Reliability Standards.

Commission Staff arrived at the categories selected for comment (data security, detection of anomalies and events, and mitigation of cybersecurity events) based on review of the NIST Framework and current standards, noting that while CIP Reliability Standards have been updated multiple times since the first mandatory standards were issued in 2008, new cyber threats continue to evolve and may warrant further updates to the standards.

The NOI further explains that the strategy of Commission-approved CIP Reliability Standards with regard to cybersecurity is risk-based and intended to provide “defense in depth” (or multiple, redundant “defensive” measures). In general, planning for a reliable grid is based on the ability to withstand the single largest contingency possible, known as the N-1 event, and FERC now questions whether greater defense in depth is warranted to protect from a coordinated attack on multiple cyber assets important to the grid.

The NOI also notes that the grid’s transition from larger, centralized generation resources to smaller, more geographically distributed generation resources may exacerbate the risk of a coordinated attack (a related concern to the increased “threat surface” that proliferation of individual distributed assets may create2). This suggests that FERC may pay particular attention to distributed generation resources and other grid assets that were historically considered too small, individually, to be subject to CIP Reliability Standards (e.g., the NOI states that FERC is considering “potential modifications to the current MW thresholds [of CIP Reliability Standards]”).

If FERC concludes that geographically distributed “targets” include any physical or cyber assets connected to the distribution-level, retail sale grid, then coordination with state public utility commissions may be required. However, the NOI currently makes no mention of such an eventuality. 

The Commission’s NOI provides specific questions under each of the three categories, with Initial Comments due Aug. 24, 2020, and Reply Comments due Sept. 22, 2020.

 

1 The NIST Framework consists of five “Functions” that provide a strategic-level view of cybersecurity: Identify, Protect, Detect, Respond, and Recover).

See CyberX, 2020 Global IoT/ICS Risk Report (via download).

©2020 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume X, Number 177

TRENDING LEGAL ANALYSIS


About this Author

Rabeha Kamaluddin Shareholder DC Energy & Natural Resources Litigation Federal Regulatory & Administrative Law
Shareholder

Rabeha Kamaluddin has deep experience in a broad range of administrative, judicial, and transactional matters, primarily in the energy industry.  She focuses her practice on energy regulation, compliance, and enforcement matters, regularly representing clients before the Federal Energy Regulatory Commission (FERC) and various state public utility commissions.  

Rabeha represents energy clients, including interstate oil and natural gas pipelines and storage providers, liquefied natural gas (LNG) exporters, refiners, jet fuel shippers, public utilities, transmission owners,...

202-331-3197
Gregory Lawrence, Greenberg Traurig Law Firm, Energy, Crorporate and Finance Litigation Law Attorney
Shareholder

Gregory K. Lawrence focuses his practice on the electricity and natural gas industries. He is experienced appearing before the Federal Energy Regulatory Commission (FERC) and multiple state utility commissions regarding regulatory proceedings, compliance and enforcement, capacity and energy market structure, transactions and negotiations, asset transfers, and governmental affairs. Greg’s clients include financial institutions and funds, marketers, traders, renewable and other project developers, municipal and investor-owned utilities, and large energy consumers.

Recognized as a leading energy and electricity lawyer by Chambers USA, Greg is a frequent speaker at energy industry conferences and a contributor to a wide range of publications, includingThe Electricity Journal, Electric Light & PowerEnergy RiskBloomberg Law ReportsProject Finance InternationalCorporate CounselWindpower Engineering, and EnergyLaw 360. He also authored a quarterly column in Electric Energy T&D Magazine and "Rationalizing Supply with Demand: Electricity Demand Response in U.S. Wholesale Electricity Markets," a book chapter inU.S. Law and Taxation.

In addition, Greg has taught energy seminars at the Massachusetts Institute of Technology Sloan School, Cornell Law School, and Syracuse University. Greg regularly presents at The Harvard Kennedy School, Harvard Electricity Policy Group, regarding electricity market structure as well as manipulation legal issues.

617-310-6003
Associate

Jack T. LeBris Erffmeyer is a member of the Energy & Natural Resources Practice in Greenberg Traurig’s Washington, D.C. office. As a former Assistant Attorney General for the Public Utilities Bureau in the Office of the Illinois Attorney General, Jack was responsible for the prosecution and management of all aspects of administrative litigation before the Illinois Commerce Commission (ICC) on electricity and natural gas cases and before the Federal Energy Regulatory Commission (FERC) on interstate wholesale electricity market cases. His experience includes casework related to formula...

202-530-8560
Thomas O. Lemon ASSOCIATE Boston Litigation Energy & Natural Resources
Associate

Thomas O. Lemon focuses his practice on litigation and regulation in the energy sector. After receiving his J.D. from Washington University in St. Louis in 2011, Tom worked as an attorney-advisor in the Federal Energy Regulatory Commission’s (FERC) Office of Enforcement. In his time at the Commission, Tom worked on nearly every type of FERC Enforcement matter, and has extensive experience with natural gas and electricity market fraud and manipulation claims, NERC reliability standards violations, wholesale demand response, and LMP and capacity price formation. He has done investigatory and...

617-310-6215