On March 20, 2014, FERC partially clarified and denied rehearing of Order No. 791, which approved the Version 5 Critical Infrastructure Protection (“CIP”) Reliability Standards. The Commission clarified issues surrounding the implementation of the order as well as the requirement that the North American Electric Reliability Corporation’s (“NERC”) conduct a survey of certain types of cyber assets.
In Order No. 791, FERC approved the NERC Version 5 CIP Reliability Standards (see November 22, 2013 edition of the WER). The standards require owners or operators of the bulk electric system to identify and categorize cyber systems based on whether the systems have a low, medium, or high impact on the operation of the bulk electric system. Once a system is categorized, owners or operators would comply with the requirements of the asset’s specific category.
In Order No. 791, the Commission directed NERC to conduct a survey to determine what assets were outside the definition of “bulk electric system cyber asset” because the asset did not satisfy the “15-minute” parameters – assets that if compromised, would within 15 minutes of its assigned operation or non-operation adversely impact one or more facilities. On rehearing, FERC addressed concerns that the survey would be overly burdensome and could be more efficiently addressed through a technical conference. In Order No. 791-A, the Commission clarified that the survey would not be overly burdensome as NERC was not ordered to survey all assets affected by the 15-minute parameters, and NERC was free to determine the scope of the survey.
Additionally, NERC originally proposed to direct utilities to implement the technical requirements in most of the CIP Reliability Standards in a manner that “identifies, assesses, and corrects deficiencies” in compliance. By including this language, NERC sought to provide some flexibility for utilities to minimize compliance costs. In Order No, 791, the Commission rejected this language and directed NERC to remove it from the standards within one year, finding that the language was too ambiguous to permit the Commission to understand the obligations it imposes and could be subject to multiple interpretations. Parties requested clarification as to how entities should craft their compliance with the CIP standards pending the removal of the “identify, assess and correct” language subject in a subsequent NERC compliance filing. FERC held that entities should still have sufficient direction to move forward with implementation of the technical controls while NERC addresses the language in a future compliance filing.
A copy of the order is available here.