On March 18, 2010, FERC approved the North American Electric Reliability Corporation’s (“NERC”) plan to implement eight Critical Infrastructure Protection Reliability Standards, CIP-002-1 through CIP-009-1 (“CIP Standards”) by generator owners and operators of nuclear power plants in the United States (“Implementation Plan”). NERC’s Implementation Plan was filed on January 19, 2010 as part of a compliance filing in response to FERC’s request for additional information on December 17, 2009.
CIP Standards require operators of the Bulk-Power system to follow particular requirements to protect “critical cyber assets.” Version 1 CIP Standards state that facilities regulated by the U.S. Nuclear Regulatory Commission (“NRC”) are exempt from CIP Standard compliance. NRC regulations currently do not, however, cover all of the equipment within a nuclear power plant. On March 19, 2009, FERC issued Order 706-B to clarify that CIP Standards should apply to the “balance of plant” equipment within a nuclear plant in the United States that is not subject to regulation by NRC. FERC directed NERC to have a stakeholder process to come up with an applicable timeframe for nuclear power plants to comply with the Version 1 CIP Standards.
On September 15, 2009, NERC initially filed the Implementation Plan for Version 1 of CIP Standards. On December 17, 2009, FERC requested additional information from NERC on the systems determination in order to evaluate the Implementation Plan. FERC was specifically concerned with: (1) the anticipated date the systems framework would be finalized, (2) the status of the development of the exemption process, (3) whether the exemption process will include (a) an application deadline and (b) a deadline for determination on an exemption request, and (4) a description of any other time parameters that may be included in the exemption process.
NERC’s January 19, 2010 Compliance Filing outlined their “Bright-Line Test” which details the ways in which NERC will identify the systems, structures and components that are subject to NERC and CIP Standards and those which are subject to NRC jurisdiction. In an attempt to streamline this process, NERC and NRC executed a memorandum of understanding on December 30, 2009 in order to coordinate their responsibilities with cyber security. NERC stated in its January 19, 2010 filing that it will conduct regional workshops and then gather information about licensees through the distribution of “Bright Line Surveys.” NERC and NRC will verify the survey results to determine which systems and structures are within the CIP Standards.
NERC hopes to finalize the scope of systems determinations within eights months of when the Implementation Plan becomes effective. FERC accepted NERC’s compliance filing and approved their Implementation Plan for nuclear power plant generator owners’ and operators’ compliance with Version 1 of the CIP Standards. Moving forward, FERC also approved NERC’s request to submit similar implementation plans for Versions 2 and 3 of the CIP Standards.
FERC’s full order can be found at www.ferc.gov under Docket No. RM06-22-011.