On January 18, 2018, FERC took steps to develop supply chain risk management Reliability Standards and to approve several new Emergency Preparedness and Operations (“EOP”) Reliability Standards. First, FERC issued a Notice of Proposed Rulemaking (“NOPR”) proposing to direct the North American Electric Reliability Corporation (“NERC”) to develop supply chain risk management requirements under the Critical Infrastructure Protection (“CIP”) Reliability Standards. Second, in a separate order, FERC approved several new EOP Reliability Standards aimed at addressing emergency event reporting, roles and responsibilities during system restoration via blackstart resources, system restoration plans and coordination, and the loss of control center functionality.
First, FERC issued a NOPR in response to a petition filed by NERC on September 26, 2017, which responded to FERC directives in Order No. 829 requiring NERC to develop new or modified reliability standards to address supply chain risk management for industrial control system hardware, software, and computing and networking services. In the NOPR, FERC proposed to approve the three CIP Reliability Standards upon determining that the standards are consistent with the objectives of Order No. 829. However, FERC found that the proposed standards did not address all of the Order No. 829 directives because the standards excluded Electronic Access Control and Monitoring Systems (“EACMS”), Physical Access Controls (“PACs”) and Protected Cyber Assets (“PCAs”). As a result, FERC proposed to direct NERC to: (1) include EACMS within the scope of the supply chain risk management Reliability Standards; and (2) study the risks presented by PACs and PCAs as part of an evaluation already proposed by the NERC Board of Trustees. Additionally, FERC noted that the 18-month implementation plan set by NERC was longer than required to implement the new Reliability Standards, particularly because the new standards are “process-based” and do not require implementation of new technology that would otherwise might justify such a long implementation period. Therefore, FERC proposed to direct NERC to reduce the implementation period to 12 months.
Second, FERC issued a final rule to approve four EOP Reliability Standards and in turn, retire several EOP Reliability Standards currently in effect. The final rule largely adheres to FERC’s NOPR wherein FERC proposed to approve the EOP Reliability Standards, which was issued on September 20, 2017. NERC’s petition for approval of these standards was filed on March 27, 2017. The revised EOP Reliability Standards address emergency event reporting, roles and responsibilities during system restoration via blackstart resources, system restoration plans and coordination, and the loss of control center functionality. In the final rule adopting NERC’s proposed standards, FERC stated that these new EOP Reliability Standards will enhance reliability by: (1) providing accurate reporting of events; (2) clarifying the roles and responsibilities of entities that support system restoration in the event of an emergency; (3) clarifying procedures and coordination requirements for entities responsible for system restoration; and (4) refining the requirements of operating plans used to maintain grid reliability.