FERC

FERC Issues NOPR on Supply Chain Risk Management - January 18 - FERC issued a notice of proposed rulemaking proposing to approve NERC’s proposed supply chain risk management Reliability Standards CIP-013-1 (Cyber Security – Supply Chain Risk Management), CIP-005-6 (Cyber Security – Electronic Security Perimeters), and CIP-010-3 (Cyber Security – Configuration Change Management and Vulnerability Assessments) with certain modifications.  The proposed standards, which NERC submitted to address FERC’s directives in Order No. 829, would modify currently-effective CIP Reliability Standards to reduce cybersecurity risks associated with supply chain management.  FERC’s NOPR also proposes to reduce the implementation period for the proposed standards, directs NERC to develop modifications to include Electronic Access Control and Monitoring Systems  associated with medium and high impact BES Cyber Systems within the scope of the supply chain risk management Reliability Standards, and directs NERC to evaluate the cyber security supply chain risks presented by Physical Access Control Systems and Protected Cyber Assets in a recent study of cyber security supply chain risks requested by the NERC Board of Trustees.

FERC Approves Emergency Preparedness and Operations Reliability Standards - January 18 - FERC issued a final rule approving Emergency Preparedness and Operations (EOP) Reliability Standards EOP-004-4 (Event Reporting), EOP-005-3 (System Restoration from Blackstart Resources), EOP-006-3 (System Restoration Coordination), and EOP-008-2 (Loss of Control Center Functionality).  The approved EOP Reliability Standards enhance reliability by:  (1) providing accurate reporting to NERC’s event analysis group; (2) delineating the roles of entities that support system restoration from blackstart resources; (3) clarifying the requirements to execute system restoration processes; and (4) refining required elements of an operating plan to continue operation if primary control functionality is lost.

FERC Rejects DOE Proposal on Grid Reliability and Resilience Pricing - January 8 - FERC issued an order terminating the rulemaking proceeding initiated by the Secretary of Energy that proposed to develop cost recovery mechanisms for “grid reliability and resiliency resources.”  While declining to adopt the Secretary’s proposal, FERC acknowledged the importance of grid resilience and initiated a new proceeding to seek additional information from FERC-jurisdictional Independent System Operators (ISOs) and Regional Transmission Organizations (RTOs) to evaluate the resilience of the bulk power system in those regions.  There are three goals for the new proceeding: (1) to develop a common understanding among the Commission, industry, and others of what resilience of the bulk power system means and requires; (2) to understand how each RTO and ISO assesses resilience in its geographic footprint; and (3) to use this information to evaluate whether additional Commission action regarding resilience is appropriate at this time. Please see our Alert on this matter for more information.

NERC

NERC Files Comments on Proposed Reliability Standard CIP-0037 - December 22 - NERC filed comments in support of proposal to approve Reliability Standard CIP-003-7, stating that Reliability Standard CIP-003-7 would improve upon the currently-effective CIP Reliability Standards.  Further, NERC stated that it did not oppose proposed FERC directives that NERC modify Reliability Standard 003-7 to provide clear, objective criteria for electronic access controls for low impact BES Cyber Systems and address the need to mitigate the risk of malicious code that could result from third-party transient electronic devices.

NERC Submits Reliability Standards Development Plan - December 21 - NERC submitted to FERC its 2018-2020 Reliability Standards Development Plan (2018 Development Plan), which provides an update on active and future projects and an analysis comparing accomplishments with previous Development Plans.  The 2018 Development Plan focuses on completing already initiated Periodic Reviews and responding to FERC directives, assessing emerging risks that may generate new Reliability Standards projects, Standard Authorization Requests, and the standards grading initiative.

NERC Penalty Activity - December 28 - NERC filed with FERC a spreadsheet notice of penalty resolving 3 violations of 7 Reliability Standards totaling $75,000 in penalties.

Cybersecurity

NIST Issues Update for Systems Security Engineering - January 3 - The National Institute of Standards and Technology (NIST) issued the first update to its systems security engineering guidance document, Special Publication 800-160.  The update contains substantive and editorial changes that emphasize the importance of applying the document’s security design principles to systems that are part of the U.S. critical infrastructure.  NIST plans on releasing a second systems security engineering document on cyber resiliency in March 2018.

Department of Homeland Security Warns of Security Vulnerabilities - January 3 - The Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT) issued an alert and guidance on the “Meltdown” and “Spectre” security vulnerabilities, which affect computer processors.

Congress

House Members Discuss Grid Security during Hearing on DOE Modernization - January 9 -The House Energy and Commerce Committee’s Subcommittee on Energy held a hearing entitled “DOE Modernization: Advancing DOE’s Mission for National, Economic, and Energy Security of the United States, at which senior leadership from the Department of Energy (DOE) testified.  DOE Undersecretary for Energy Mark Menezes called cybersecurity one of the energy issues that concerned him the most, and noted that the expectation of DOE to manage energy-related cyber emergencies generally exceeded its authority to do so.  Deputy Secretary Dan Brouillette also noted that DOE’s main focus with respect to cybersecurity it to ensure the agency’s internal security.