Media Statements & Speeches
Commissioner Cheryl A. LaFleur Statement
April 18, 2013
Docket Nos. FA11-21-000, RM13-5-000, RM12-16-000 & RM12-7-001
Item Nos. E-6, E-7, E-8 & E9
“I am pleased to support the four reliability orders on today’s agenda. Three of these orders address matters critical to the reliability of the bulk electric system, including cyber security, while the fourth provides important guidance to NERC as it continues to carry out its function as the Electric Reliability Organization (ERO).
Cyber Security Standards
“The most significant reliability matter the Commission acts on today is NERC’s petition to approve Version 5 of the Critical Infrastructure Protection Standards (CIP Standards). These Standards protect the cyber security of the North American grid.
“Cyber security has received a great deal of attention in recent months, thanks in large part to President Obama’s recent Executive Order on this issue. In my mind, the President’s recent Executive Order is more than a call for action on specific items—it is a challenge to each of us in positions of authority and influence to build a culture of cyber security. As the President observed a few years ago, “the great irony of our Information Age” is that “the very technologies that empower us to create and to build also empower those who would disrupt and destroy.” We must do our part to defend against those who would use the benefits of technology for harmful purposes.
“In the electric industry, we have been aware of cyber security as an emerging issue for a number of years. And while the Commission will do its part under the Executive Order, we are fortunate that in the Energy Policy Act of 2005 Congress gave us independent statutory authority over the cyber security of the grid. We have exercised this authority by requiring NERC to adopt the CIP Standards and to make modifications that improve their effectiveness.
“Earlier this week, I was honored to speak at the Woodrow Wilson Center at a forum on U.S. and Canadian efforts to protect the cyber security of the North American grid. During the discussion, participant after participant stressed a common theme: cyber security is a journey, not a destination. We will always be adapting because the threats are always changing.
“At one point, I drew an analogy between the CIP Standards and the iPhone. Just when you think you have the latest, greatest version, something new comes along—something that has more coverage, a better user interface, or more features. The same is true with the CIP Standards. There is always room for improvement. There is always a way to better distinguish or capture more assets.
“The Version 5 CIP Standards we propose to approve today are a significant improvement over the currently effective Version 3 Standards and the Version 4 Standards scheduled to go into effect next April. Following an approach recommended by the National Institute of Standards and Technology (NIST), the Version 5 Standards require, for the first time, that all cyber systems receive some level of protection based on their impact on the grid. Because we agree with NERC that this and other modifications represent a significant improvement over Versions 3 and 4, we propose to approve NERC’s request to skip Version 4 and require compliance directly with Version 5.
“However, it is important to note that we do identify concerns with and ask questions about certain elements of the proposed Version 5 Standards. For example, language requiring entities to “identify, assess, and correct” deficiencies may result in requirements that are unclear and difficult to audit or enforce. Therefore, we seek comment on several concerns related to this language. We also seek comment on whether the two-year implementation period for Medium and High Impact assets and the three-year implementation period for Low Impact assets are necessary, or can be accomplished more quickly. I look forward to receiving a broad range of comments on these issues and on all of the issues raised in the NOPR.
“I want to thank both the standards drafting team and FERC staff that worked on all the orders we vote out today. On CIP in particular, we heard from many people that quick action on Version 5 was important for entities unsure of whether or not to dedicate the resources necessary to comply with Version 4 or to focus instead on compliance with Version 5. Thank you for turning the order around so promptly.
“In addition to its action on the CIP Standards, the Commission largely affirms its Final Rule approving a new definition of the Bulk Electric System (BES), including its findings that certain networked configurations do not qualify as radial for the purposes of Exclusion E-1 but may qualify as local networks for the purposes of Exclusion E-3. The Commission explains, however, that NERC is free to develop equally efficient and effective alternatives to modifying Exclusion E-3 to include the configurations that are not eligible for Exclusion E-1.
“Among other things, the Commission clarifies that:
- Currently unregistered entities or entities with facilities that are included in the BES for the first time as a result of the new definition do not have to comply with newly relevant Reliability Standards during the pendency of their exception request. The Commission expects entities to file, and NERC to decide, any exception requests during the two-year transition period approved in the Final Rule.
- The exceptions process and the process for the Commission making local distribution determinations are separate, not concurrent, and result in different determinations.
- State regulators may participate in local distribution determinations, but the question of whether a facility is local distribution is a question of fact that will be decided by the Commission; and
- In the absence of bad faith, if an entity applies the new BES definition and determines that a facility is no longer in the BES, that facility will be treated as non-BES and therefore exempt from relevant Reliability Standards, upon notification of the appropriate Regional Entity. This status will continue unless NERC makes a contrary determination. In the event NERC makes a contrary determination, the entity will not be subject to retroactive liability for the time when it had the good-faith belief that the facility was not included in the BES.
Generator Interconnection Lines
“The Commission also proposes to approve modifications to four Reliability Standards to clarify that they apply to generator lead lines. Notably, one of these Standards is the Vegetation Management Standard, while two others pertain to protection systems. While NERC acknowledges that complex cases will continue to require case-by-case determinations of what Standards apply to generator lead lines, the modifications we propose to approve today will provide greater reliability by imposing certain basic requirements on all generator lead lines.
“Finally, the Commission largely approves NERC’s criteria for determining whether an activity may be funded pursuant to section 215 of the Federal Power Act. These criteria will guide NERC in future budget proceedings. Equally as important, this order concludes the audit proceeding initiated by the Office of Enforcement in 2012. I am confident that NERC and the Commission can now move forward and continue our productive relationship.”