FERCon July 21 voted 3-1 to approve a draft final rule directing the North AmericanElectric Reliability Corp. to develop a reliability standard safeguarding thebulk power system from attacks targeting links in the power industry's supplychain.
The majorityapplauded the draft order for allowing NERC to figure out exactly how toprotect the equipment and software that control power systems. But CommissionerCheryl LaFleur dissented, acknowledging the vital importance of shielding thegrid from assaults via the supply chain but insisting that the order goes aboutdoing so the wrong way.
"Irecognize that today's order on the face appears to afford a great deal offlexibility, but I believe that flexibility is, in fact, a lack of guidance onthe issue we're addressing," LaFleur said during the agency's July 21monthly open meeting. "We're tasking NERC … to do something we haven'tfigured out how to do — how to adapt this risk to a measurable, auditable andenforceable standard within the parameters of our jurisdiction under theFederal Power Act."
WhenFERC in January issuedOrder 822 approving seven revised critical infrastructure protection, or CIP,standards, it any decision onone issue raised in its earlier notice of proposed rulemaking — whether asupply chain standard should be created — until after the technical conferencealready schedule for later that month.
Presentingthe draft final rule (RM15-14) at the FERC meeting, staff explained that itwould require NERC to develop and file a supply chain standard within one year.
"Thedraft final rule does not, however, require NERC to impose any specificcontrols, nor does the commission require NERC to propose 'one-size-fits-all'requirements," staff said. "In other words, the draft final ruledirects 'what' gap NERC should address, not 'how' NERC addresses that gap."
Staffexplained that the draft final rule directs NERC to develop a standardrequiring affected entities to implement plans for achieving securityobjectives related to software integrity and authenticity, vendor remoteaccess, information system planning, and vendor risk management and procurementcontrols.
ButLaFleur said she believes that approach "is essentially giving thestandards development team a homework assignment without adequately explainingwhat it expects them to hand in." She warned that the majority's decisionto issue a final rule at this juncture may ultimately delay implementation of asupply chain standard given "the unique structure" of the agency'sjurisdiction over reliability standards.
Unlikewith other aspects of its work, FERC cannot rewrite and send back to NERC aproposed standard the agency believes to be deficient, LaFleur noted. Instead,NERC must rewrite the standard by starting the standards development andapproval process all over again, which LaFleur in a prepared statement said "constrainsour ability to timely address a flawed standard."
"Unfortunately,I have way too much experience with telling NERC to bring us another rock andstarting the endless … loop of remand, refiling, remand, that has led somestandards to take many years to become effective," LaFleur said. "AndI just think this is much too important an issue for that."
Respondingto reporters' questions following the meeting, Chairman Norman Bay said thefinal rule took into account views expressed in comments on its earlier NOPR aswell as those submitted leading up to and following the technical conference.Of particular note, Bay recalled that NERC proposed, and many entitiessupported, the framework adopted in the final rule.
"Puttingall of that together, a majority of the commission decided that this approachwas a reasonable one that took into account the risk [and] responded to it, butprovided flexibility to NERC to provide a standard to us that was forwardlooking and objective based," Bay said.
LaFleur,however, said a better approach would have been to issue a supplementalproposed rule and take the time "to develop a better record upfront beforeproceeding."
"Ithink our most effective standards … and those that we get in place mostpromptly are those where we issue very clear and very structured guidance aboutwhat we want," LaFleur said. "Our choice today isn't action orinaction — clearly we need to act — but rather what action to take."
Inrelated developments, FERC deniedrehearing of Order 822. The commission also voted to approve a separate draftnotice of inquiry (RM16-18) exploring whether standards related to controlcenters used to monitor and operate the bulk electric system in real-time needto be modified. A cyberattack launched against the Ukraine electric grid inlate 2015 targetedutilities' control systems, and FERC sought feedback on the separation betweenthe internet and control center cybersystems and computer administrationpractices that can prevent unauthorized programs from running, among otherthings.