United States: FERC NOI Considers Expansion Of Cybersecurity Rules To Distributed Generation

On Wednesday, June 24, 2020, the Federal Energy Regulatory Commission (FERC or "the Commission") published a Notice of Inquiry (NOI) in the Federal Register soliciting comments on potential enhancements to the Critical Infrastructure Protection (CIP) Reliability Standards¹ that currently exist to help our energy infrastructure protect itself from attack. (Initial Comments are due by August 24, 2020, and Reply Comments are due by September 22, 2020.). While this NOI speaks mostly of cybersecurity protection and vulnerabilities to cyberattacks on our bulk power system, it focuses attention on "the risk [that] such a coordinated attack may be exacerbated by the recent shift from larger, centralized generation resources to smaller, more geographically distributed generation resources." The solutions FERC is seeking comment on could have disproportionate impacts on the renewable energy industry, which has enjoyed considerable expansion in the growing distributed generation (DG) sector.

The NOI seeks comment on two related but separate issues. The first is whether current CIP Reliability Standards adequately address three topics: cybersecurity risks pertaining to data security, detection of anomalies and events, and mitigation of cybersecurity events. These three areas of concern were identified by FERC staff by comparing the "content of the [National Institute of Standards and Technology Cyber Security Framework] (NIST Framework)² with the substance of the CIP Reliability Standards," and identifying gaps between the two which might present a risk to Bulk Electric System (BES) reliability. While there are a number of subcategories within these three topics that FERC is seeking to address with this NOI, for all of the topics FERC is probing whether the current CIP Reliability Standards sufficiently cover these gaps, especially given that many of the standards do not apply to low impact BES Cyber Systems.³ The second issue on which FERC is seeking comments is the potential risk of a coordinated cyberattack on geographically distributed targets and whether Commission action, including potential modifications directly to the CIP Reliability Standards themselves, would be appropriate to address such risk. Both issues raise the possibility of imposing new material federal regulations on distributed renewable energy generators, which are, for the most part, regulated by state authorities. The potential impact on these distributed generators is likely to be a vastly expanded imposition of federal standards, although the extent of this impact will be dependent on which potential policy outcomes arise from this NOI.

FERC proposes two possible changes to address these risks and explicitly requests comments on its proposals. The Commission focuses its proposals on the low, medium, and high-impact categories for CIP Reliability Standard applicability, which are currently determined by either the wattage of a generating facility or the voltage at which a transmission facility operates. One of these potential changes would adjust the BES Cyber System categorization thresholds, which are based on "bright-line" criteria, while the other would simply extend the CIP Reliability Standards to apply to all three of the BES Cyber System categories. Currently, according to CIP-002-5.1a, Bulk Electric System (BES) Cyber Systems are categorized based on the impact their "associated Facilities, systems, and equipment. if destroyed, degraded, misused, or otherwise rendered unavailable, would [have on] the reliable operation of the Bulk Electric System."

In its NOI, FERC suggested that it might change the threshold between low-impact BES Cyber Systems and medium-impact BES Cyber Systems, with the effect of increasing the number of regulated generating and transmission facilities categorized as medium-impact. This change in the categorization threshold would lead to more registered entities being subject to additional requirements, specifically NERC Reliability Standards CIP-004 though CIP-013.⁴ The current "bright-line" between low- and medium-impact ratings is 1500 MW in a single interconnection, transmission facilities operated at 500 kV or higher, or transmission facilities operated above 200 kV but connected to additional transmission facilities with a weighted value above a certain amount. Lowering any of these thresholds could dramatically increase the number of distributed renewable energy generators that are required to comply with NERC standards.

Alternatively, FERC also mentioned a more direct option, the possibility of modifying the reliability standards "to include low-impact BES Cyber Systems with remote electronic access connectivity." This modification could have a more dramatic effect on which entities are subject to NERC standards - low-impact BES Cyber Systems do not currently require discrete identification, and it functions as a catch-all category. If the CIP Reliability Standards were simply extended to this third category, functionally all transmission and generation entities would be regulated, no matter how small.

For small distributed generators, complying with the full suite of CIP standards could have a large impact on operations and create significant logistical issues with complying with some of the CIP standards - for instance, would individual homeowners be required to take steps to protect against hacking to comply with the CIP standards? As briefly mentioned by FERC in this NOI, one aspect of CIP standards is requiring registered entities to perform grid exercises and training for hypothetical scenarios - which begs the question - which parts of the distributed generating ecosystem would participate in such exercises?

Additionally, there is a real question as to how real the risk is that FERC is purporting to address in this NOI. The President's recent, separate, Executive Order on May 1, 2020 stated that "foreign adversaries are increasingly creating and exploiting vulnerabilities," and expressed that the bulk-power system is a target which needs to be protected. However, even this EO stated that the "bulk-power system" definition "includes transmission lines rated at 69,000 volts (69 kV) or more, but does not include facilities used in the local distribution of electric energy."

This FERC NOI and POTUS's May 1, 2020 Executive Order on the Bulk Power System are two examples⁵ of increased federal activity in the name of preventing hacking and cyberattacks to protect national security, which simultaneously represents an increased intrusion into state domain and increased regulation of the renewable energy industry. It is crucial that in making these regulatory adjustments which purport to protect the cybersecurity of the BPS, we balance the disproportionate impact they could have on renewable DG.

Footnotes

1. The CIP Reliability Standards are adopted by the North American Electric Reliability Corporation (NERC), which then petitions FERC for approval of the standards. The standards are designed to ensure the Bulk Electric System (BES) operates reliably. See NERC Standards page, https://www.nerc.com/pa/Stand/Pages/Default.aspx.

2. The NIST Framework is an "ongoing collaborative effort involving industry, academia, and government" to "'facilitate and support the development of' cybersecurity risk frameworks", which was created as a result of the Cybersecurity Enhancement Act of 2014. Since 2008, FERC has looked to NIST to improve its CIP Reliability Standards, and since 2014 to this Framework. Framework for Improving Critical Infrastructure Cybersecurity, National Institute of Standards and Technology, pages iv, 1, (April 16, 2018).

3. The term BES Cyber Systems was created in the most recent update of the CIP Reliability Standards, and can be viewed as a grouping of BES Cyber Assets. A BES Cyber Asset would affect the reliable operation of the Bulk Electric System, if destroyed, degraded, or otherwise rendered unavailable. See Glossary of Terms Used in NERC Reliability Standards, https://www.energy.gov/sites/prod/files/2017/09/f36/NERC%20Glossary.pdf.

4. See FERC Notice of Inquiry on Potential Enhancements to the Critical Infrastructure Protection Reliability Standards, Footnote 5, June 24, 2020.

5. An additional example is the NERA petition to move regulation of net-metering from the state domain to FERC's jurisdiction.

To view Foley Hoag's Energy & Cleantech Counsel blog please click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.