APPA calls on FERC to adopt NERC Version 5 cybersecurity standards without changes
Originally published June 26, 2013
The Federal Energy Regulatory Commission should adopt the North American Electric Reliability Corp.’s latest version of cybersecurity standards for critical infrastructure (the CIP Version 5 standards) "without modifications, conditions or directives," APPA said. NERC’s proposal and in particular the "identify, assess and correct" (IAC) framework represents a paradigm shift away from the so-called "zero defect" compliance approach and toward more effective risk management, APPA said in June 24 comments on FERC’s proposal to adopt the CIP Version 5 standards.
Adopting programmatic controls, rather than specific cyber controls, for low-impact cyber assets is critical, APPA told the commission. Imposing specific cyber controls on low-impact assets would hurt reliability by significantly increasing the administrative burden of compliance on utilities and siphoning resources away from actual reliability tasks that would secure those assets, APPA said. APPA cited the example of a Midwestern utility that has fewer than 30 medium-impact relays that provide protection to three 345-kV transmission substations, but more than 150 low-impact relays located in 50 separate 115-kV substations. Requiring specific cyber controls for low-impact assets also "would be an inflexible strategy for assets that require more responsiveness and adaptability."
APPA said it is willing to forego a legal challenge to the commission’s deficient Regulatory Flexibility Act (RFA) analysis and certification that the standards would have no significant impact on small entities, if FERC approves NERC’s proposal without modification. The NERC drafting team responded to the comments and concerns expressed by small entities during the standard development process, and attempted to minimize the regulatory burden imposed on such entities, while still ensuring the reliability of the bulk electricity system, APPA said.
However, each of the principal changes that the commission proposes to the Version 5 standards "would clearly invalidate the commission’s already deeply flawed proposed RFA analysis by substantially increasing the already heavy regulatory burden imposed on small entities, without commensurately increasing the associated benefits," APPA said. If the commission modifies NERC’s proposed CIP Version 5 standards in its final rule, it "must go back to the drawing board and conduct a full RFA analysis," APPA said. APPA expects the commission to correct the errors in its RFA calculations in the final rule on the Version 5 standards.
APPA urged the commission to accept NERC’s proposed implementation plan, including the 24-month and 36-month periods provided for responsible entities to develop and implement these standards.
Please Sign in to rate this.
Senior Vice President, Publishing
Jeanne Wickline LaBella
Editor, Public Power Daily
Fallon W. Forbush
Manager, Integrated Media
David L. Blaylock
Integrated Media Editor
- EIA: Daily gas power burn hits highest daily level so far in 2017
- NYPA’s Quiniones, CPS Energy recognized for energy transformation efforts
- To reduce impact of regulations, DOE should comply with process rules, Association says
- Judge backs New York on plan to support nuclear generation
- House bill designates municipal bonds as high-quality liquid asset
- Officials urge public power utilities to be prepared for cyberattacks
- Public power utilities recognized for high customer satisfaction
- Lawmakers hear about capacity market flaws, rising grid costs
- Cyber Hygiene: Preventive Care to Avoid Electric System Decay
- Hamilton Utilities’ urban forestry program boosts safety, reliability