Public Power Daily Logo

APPA calls on FERC to adopt NERC Version 5 cybersecurity standards without changes


From the June 26, 2013 issue of Public Power Daily

Originally published June 26, 2013

By Robert Varela
Editorial Director
The Federal Energy Regulatory Commission should adopt the North American Electric Reliability Corp.’s latest version of cybersecurity standards for critical infrastructure (the CIP Version 5 standards) "without modifications, conditions or directives," APPA said. NERC’s proposal and in particular the "identify, assess and correct" (IAC) framework represents a paradigm shift away from the so-called "zero defect" compliance approach and toward more effective risk management, APPA said in June 24 comments on FERC’s proposal to adopt the CIP Version 5 standards.

Adopting programmatic controls, rather than specific cyber controls, for low-impact cyber assets is critical, APPA told the commission. Imposing specific cyber controls on low-impact assets would hurt reliability by significantly increasing the administrative burden of compliance on utilities and siphoning resources away from actual reliability tasks that would secure those assets, APPA said. APPA cited the example of a Midwestern utility that has fewer than 30 medium-impact relays that provide protection to three 345-kV transmission substations, but more than 150 low-impact relays located in 50 separate 115-kV substations. Requiring specific cyber controls for low-impact assets also "would be an inflexible strategy for assets that require more responsiveness and adaptability."

APPA said it is willing to forego a legal challenge to the commission’s deficient Regulatory Flexibility Act (RFA) analysis and certification that the standards would have no significant impact on small entities, if FERC approves NERC’s proposal without modification. The NERC drafting team responded to the comments and concerns expressed by small entities during the standard development process, and attempted to minimize the regulatory burden imposed on such entities, while still ensuring the reliability of the bulk electricity system, APPA said. 

However, each of the principal changes that the commission proposes to the Version 5 standards "would clearly invalidate the commission’s already deeply flawed proposed RFA analysis by substantially increasing the already heavy regulatory burden imposed on small entities, without commensurately increasing the associated benefits," APPA said. If the commission modifies NERC’s proposed CIP Version 5 standards in its final rule, it "must go back to the drawing board and conduct a full RFA analysis," APPA said. APPA expects the commission to correct the errors in its RFA calculations in the final rule on the Version 5 standards.

APPA urged the commission to accept NERC’s proposed implementation plan, including the 24-month and 36-month periods provided for responsible entities to develop and implement these standards. 

Ratings

Be the first to rate this item!

Please Sign in to rate this.

Comments

  Add Your Comment

(1000 of 1000 characters remaining)

Senior Vice President, Publishing 
Jeanne Wickline LaBella
202/467-2948
JLaBella@publicpower.org

Editorial Director
Robert Varela
202/467-2947
RVarela@publicpower.org

Editor, Public Power Daily
Jeannine Anderson
202/467-2977
JAnderson@publicpower.org

Communications Assistant
Fallon W. Forbush
202/467-2958
FForbush@publicpower.org

Manager, Integrated Media 
David L. Blaylock
202/467-2946
DBlaylock@publicpower.org

Integrated Media Editor 
Laura D’Alessandro 
202/467-2955 
LDAlessandro@publicpower.org