FERC defers compliance deadlines for new cybersecurity protocols, other standards

Implementation of new cybersecurity protocols, including supply chain risk-management plans, has been pushed back three months to allow the power sector to focus on grid reliability and the ongoing response to the unprecedented health crisis posed by the coronavirus pandemic.

An order Friday granted the North American Electric Reliability Corp.'s April 6 motion seeking the three-month implementation delay to October 1 for three critical infrastructure protection standards, as well as a six-month compliance deadline extension for four other mandatory reliability standards that were set to become effective or be phased in during the second half of 2020.

"We are persuaded by NERC's statement that granting this motion will allow registered entities to focus their immediate efforts and resources on maintaining safety and ensuring the reliability of the grid," the Federal Energy Regulatory Commission said in the order.

REASONABLE, PROPORTIONATE RESPONSE

The agency found that "the deferred implementation dates constitute a reasonable and proportionate response to the substantial impacts of the COVID-19 pandemic on registered entities without unduly delaying the implementation of these reliability standards."

NERC, in its motion, pointed to supply-chain disruptions, limitations on staff availability and changes to outage and maintenance plans as impacts of the coronavirus pandemic that could make meeting compliance deadlines for new reliability standards challenging.

Grid operators and utility trade groups filed comments in support of the implementation delays.

However, the grid resilience advocacy group Protect Our Power expressed trepidation with "having one crisis, the pandemic, unnecessarily cause us to lose focus and a sense of urgency about another crisis, supply-chain risk."

ARGUMENTS REJECTED

Protect Our Power's bipartisan advisory panel includes experts from the power, defense, finance, and government sectors committed to strengthening the US power grid. The group advocated for limiting delay of the cybersecurity supply chain standard, CIP-013-1, to just 30 days, due to the critical nature of that supply chain. It also argued that "many or most utilities may already be prepared to comply with it by the [original] July 1 deadline," given that the standard was issued 15 months ago with an 18-month implementation schedule.

Grid-security blogger Michael Mabee, a fervent critic of FERC, urged the commission to deny NERC's motion in its entirety, contending that the industry should have been, and "is telling the public they are," prepared for a pandemic.

FERC rejected Protect Our Power's and Mabee's filings for missing the April 9 deadline for answers to the motion, but said the filings would have also been denied on the merits had they been timely.

"We are unpersuaded that NERC's requested three-month extension 'may not be in the public interest' and find that, although registered entities have taken steps to prepare for contingencies, it is nevertheless reasonable to provide them additional flexibility to properly allocate resources to address the impacts of COVID-19," FERC said in a footnote regarding the rejected filings.

The commission further explained in the order that it recognized that significant steps had likely already been taken toward complying with the original deadlines for all seven standards at issue.

"Nevertheless, it is now necessary to balance the important role these NERC reliability standards play in protecting the reliability and security of the bulk-power system with the need for registered entities to respond to the immediate challenges of COVID-19," FERC said. "Therefore, we expect entities to continue their work in implementing the standards and to take advantage of the additional time to ensure they are fully compliant with these reliability standards when they become enforceable.

NEW COMPLIANCE DATES

Along with the cybersecurity supply chain risk management standard, updates to electronic security perimeters (CIP-005-6) and cybersecurity configuration change management and vulnerability assessments (CIP-010-3) had their effective dates changed to October 1from July 1.

The October 1 effective dates for a standard on specific training for personnel (PER-006-1) and a standard governing coordination of protection systems for performance during faults (PRC-027-1) were delayed to April 1, 2021.

Entities were to demonstrate 50% compliance with certain disturbance monitoring and reporting requirements (PRC-002-2) by July 1, but will now have until January 1, 2021.

The generator relay loadability (PRC-025-2) standard's phased-in implementation included a July 1 deadline for compliance with certain requirements that has been deferred to January 1, 2021.