Docket No. ER22-1262-0001

182 FERC ¶ 61,121

UNITED STATES OF AMERICA

FEDERAL ENERGY REGULATORY COMMISSION

 

Before Commissioners:  Willie L. Phillips, Acting Chairman;

                                        James P. Danly, Allison Clements,

                                        and Mark C. Christie.

 

New York Independent System Operator, Inc.

Docket No.

ER22-1262-000

 

ORDER ON COMPLIANCE AND REQUEST FOR WAIVERS

 

(Issued February 23, 2023)

 

  1.                On March 11, 2022, New York Independent System Operator, Inc. (NYISO) filed revised tariff records[1] to its Open Access Transmission Tariff (OATT) and Market Administration and Control Area Services Tariff (Services Tariff), and a request for waivers to comply with the requirements of Order No. 676-J.[2]  In Order No. 676-J, the Commission revised its regulations to incorporate by reference Version 003.3 of the Standards for Business Practices and Communication Protocols for Public Utilities (Business Practice Standards) adopted by the Wholesale Electric Quadrant (WEQ) of the North American Energy Standards Board (NAESB) as mandatory enforceable requirements.  The Commission required that public utilities make two compliance filings with the earlier filing incorporating the cybersecurity and Parallel Flow Visualization (PFV) standards included in Version 003.3.[3]  In this order, we accept NYISO’s revised tariff records for the cybersecurity and PFV standards effective February 23, 2023, subject to an additional compliance filing submitted within 30 days of the date of this order, as described below, and grant NYISO’s request for waivers.
  1. Background

 

  1.                On May 20, 2021, the Commission issued Order No. 676-J, which amended the Commission’s regulations under the Federal Power Act[4] to incorporate by reference the WEQ Version 003.3 of the Business Practice Standards adopted by NAESB.[5]  The NAESB Business Practice Standards are intended to standardize and streamline the transactional processes of the natural gas and electric industries, as well as the communication protocols and related standards designed to improve the efficiency of communication within each industry.[6]  The WEQ Version 003.3 Business Practice Standards also include newly created standards as well as modifications to existing standards developed through the NAESB Business Practice Standards development or minor correction processes.[7] 
  2.                With respect to the cybersecurity standards, the WEQ Version 003.3 Business Practice Standards include revisions made to the Open Access Same-Time Information Systems (OASIS) Business Practice Standards, which are related to the surety assessment on cybersecurity performed by the U.S. Department of Energy’s Sandia National Laboratories.[8]  NAESB reported that the revisions strengthen the practices and cybersecurity protections established within the standards by aligning security requirements with other cybersecurity guidelines, mitigating potential vulnerabilities, and incorporating more secure communication and encryption methodologies
  3.                With respect to the PFV standards, the WEQ Version 003.3 Business Practice Standards include additions, revisions, and reservations made to the WEQ-008 Transmission Load Relief (TLR) – Eastern Interconnection Business Practice Standards, which NAESB advises completes the standards development effort for the PFV enhanced congestion management process.[9]  The Commission explained that the PFV standards are designed to improve upon the congestion management procedures for the Eastern Interconnection through the use of real-time data in calculations for TLR obligations.
  4.                In Order No. 676-J, the Commission directed public utilities to make two compliance filings for the Version 003.3 Business Practice Standards.  For the cybersecurity and PFV standards included in Version 003.3, the Commission directed public utilities to make a separate compliance filing with these revisions nine months after the publication of Order No. 676-J, with implementation required no sooner than three months after compliance filings are submitted to the Commission, for a total implementation period of at least 12 months from the issuance of Order No. 676-J.[10]  For the remainder of the revisions in Version 003.3, the Commission directed public utilities to make a separate compliance filing with these revisions 12 months after implementation of the WEQ Version 003.2 Standards, or no earlier than October 27, 2022, with an implementation date no earlier than three months following compliance filings submission (no earlier than January 27, 2023), resulting in a 15-month implementation period.[11]
  5.                The Commission also stated that should any public utility that has previously been granted a waiver of the regulations believe that its circumstances warrant a continued waiver, the public utility may file a request for a waiver wherein the public utility can detail the circumstances that it believes warrant a waiver.[12]  The Commission specified that in its request for continued waiver, the public utility must include the date, docket number of the order(s) previously granting the waiver(s), and an explanation for why the waiver(s) was initially granted by the Commission.

II.                NYISO’s Filing

A.                Proposed Standards

  1.                NYISO proposes to incorporate certain cybersecurity standards and all of the PFV standards, incorporated by reference by the Commission in Order No. 676-J, into its OATT and Services Tariff, and requests waiver of certain cybersecurity standards, as set forth below. In particular, NYISO proposes to incorporate the cybersecurity standards contained in WEQ-000, Version 003.3.[13] NYISO explains that the cybersecurity standards pertain primarily to WEQ-002, OASIS Business Practice Standards and Communication Protocols, for which it has long sought and received a waiver from the Commission, as described below.  NYISO also explains that the PFV standards modify the business practice standards to enable the PFV enhanced congestion management process for the Eastern Interconnection. NYISO states that, under these revised PFV standards, the market flows and network and native load calculations are substituted with the Generation-to-Load impact, which calculates energy flows on a flowgate and assigns relief obligations during a TLR event based on real-time data reported by the relevant Balancing Authorities.[14] NYISO requests that the proposed OATT and Services Tariff revisions become effective on June 2, 2022.[15]

B.                 Request for Waivers

  1.                NYISO requests waivers of the cybersecurity standards set forth in WEQ-001 and WEQ-002, Version 003.3.[16]  NYISO states that as set forth in its July 27, 2021 compliance filing for Order No. 676-I[17] and noted in the Commission’s March 7, 2022 order accepting that compliance filing,[18] it has historically sought and received numerous waivers from WEQ standards as NYISO’s “financial reservation” transmission model renders them inapplicable to NYISO and its market participants.[19] NYISO explains that among those prior waivers, the Commission has granted NYISO’s request for a full waiver of WEQ-002 and a partial waiver from WEQ-001 in NAESB WEQ Version 003[20] and Version 003.2,[21] in recognition of the fact that NYISO does not operate a traditional OASIS to facilitate transmission service.[22]  NYISO states that as it explained in its      July 27, 2021 compliance filing and the Commission accepted in its Order No. 676-I Compliance Order, the Business Practice Standards set forth in portions of WEQ-001 and all of WEQ-002 are inapplicable or irrelevant to NYISO and its market participants.  NYISO states that it is currently operating pursuant to those waivers.
  2.                NYISO also states that the cybersecurity standards contained in WEQ-001 and WEQ-002, Version 003.3 set forth security requirements specific to network functions that are not performed by NYISO due to these longstanding waivers.[23] NYISO therefore seeks a waiver of the cybersecurity standards in WEQ-001 and WEQ-002.

C.                 Motion for Leave to File Compliance Filing Out-of-Time

  1.            NYISO also filed a motion requesting leave to submit its compliance filing       out-of-time.[24]  NYISO states that its compliance filing was due nine months after the publication of Order No. 676-J in the Federal Register, which is March 2, 2022.  NYISO states that due to an inadvertent administrative oversight, it was not in a position to submit its compliance filing until March 11, 2022.  NYISO states that it is fully prepared to implement the appropriate cybersecurity and PFV standards in its compliance filing on June 2, 2022, the earliest implementation date specified by Order No. 676-J.  NYISO states that it does not believe that any stakeholder will be prejudiced by NYISO’s delay in making this compliance filing given its non-controversial nature and the length of time remaining before the proposed effective date.  NYISO states that it is mindful that it must comply with all Commission deadlines and will take steps not to repeat the oversight that caused the delay in this proceeding. NYISO requests that the Commission accept its compliance filing nine days out-of-time.

III.            Notice and Responsive Pleadings

  1.           Notice of NYISOs compliance filing was published in the Federal Register,      87 Fed. Reg. 51,231 (Mar. 17, 2022), with interventions and protests due on or before April 1, 2022.  None was filed.

IV.             Discussion

  1.           As an initial matter, we grant NYISO’s motion requesting leave to submit its compliance filing nine days out-of-time. NYISO states that it is fully prepared to implement the appropriate cybersecurity and PFV standards in its compliance filing on June 2, 2022, the earliest implementation date specified by Order No. 676-J, and it does not believe that any stakeholder will be prejudiced by its delay in making this compliance filing given its non-controversial nature and the length of time remaining before the proposed effective date.  We note NYISO’s commitment to take steps so that it will not repeat the inadvertent administrative oversight that caused the delay in this proceeding.[25]
  2.           With respect to the compliance filing, we accept NYISO’s Order No. 676-J revised tariff records for the cybersecurity and PFV standards effective February 23, 2023,[26] grant the requested waivers, and direct NYISO to submit an additional compliance filing.  In particular, we accept NYISO’s revised tariff records because they comply with the directives of Order No. 676-J, subject to the additional compliance filing discussed below.
  3.           We grant NYISO’s request for continued waivers of the cybersecurity standards set forth in WEQ-001 and WEQ-002, Version 003.3.  We find that NYISO has supported waiver of the foregoing standards for the reasons set forth in NYISOs filing, and because the rationale used when the Commission previously granted these waivers has not changed. Therefore, consistent with the Commissions previous determinations in the Order No. 676-H Compliance Order[27] and Order No. 676-I Compliance Order,[28] and for good cause shown, we grant the requested waivers.[29]
  4.           Finally, NYISO’s revised tariff records include placeholders for the citation of this order granting the waiver requests.  Therefore, we require NYISO to submit a compliance filing within 30 days of the date of issuance of this order to revise its tariff records to include the citations to this order granting the waiver requests.[30]  In addition, in this compliance filing, we direct NYISO to correct the typographical errors in the dates listed for the WEQ-002 cybersecurity standards (Version 003.3) in section 5.1.2 (b) of the Services Tariff and section 2.17.1 of the OATT.[31]

The Commission orders:

 

(A)            NYISOs revised tariff records for the cybersecurity and PFV standards are hereby accepted for filing, effective February 23, 2023, subject to an additional compliance filing, as discussed in the body of this order.

 

(B)             NYISOs request for waivers is hereby granted, as discussed in the body of this order.

 

(C)             NYISO is hereby directed to submit a compliance filing within 30 days of the date of issuance of this order, as discussed in the body of this order.

 

By the Commission.

 

( S E A L )

 

 

 

 

Kimberly D. Bose,

Secretary.

 

 

[1] NYISO, NYISO Tariffs, NYISO OATT, § 2.17 (OATT Incorporation of Certain Business Practice Standards) (7.0.0) and NYISO MST, 5.1 MST Control Area Services (10.0.0).

[2] Standards for Bus. Pracs. & Commc’n Protocols for Pub. Utils., Order No.   676-J, 175 FERC  61,139 (2021).

[3] Id. PP 49-50.

[4] 16 U.S.C. § 791a, et seq.

[5] Order No. 676-J, 175 FERC ¶ 61,139 at P 1.  In Order No. 676-J, the Commission also revised its regulations to provide that transmission providers must avoid unduly discriminatory and preferential treatment in the calculation of Available Transfer Capability.  Id. P 2. 

[6] Id. P 4.

[7] Id. P 9. 

[8] Id. P 11.  These revisions are in the WEQ-000, WEQ-001 and WEQ-002 Business Practice Standards.  Id., app. I Standards Affected by the Revisions to Implement Recommendations Following Sandias Surety Assessment on Cybersecurity.

[9] Id. P 14. 

[10] Id. PP 49-50.

[11] Id. PP 48, 50.

[12] Id. P 51.

[13] Transmittal at 2.

[14] Capitalized terms that are not defined in this order have the meaning specified in section 1 of the OATT or section 2 of the Services Tariff.

[15] Transmittal at 2.  NYISO states that it is fully prepared to implement the appropriate cybersecurity and PFV standards on June 2, 2022, the earliest possible implementation date specified by Order No. 676-J.  Id. at 1; see infra note 26.

[16] Transmittal at 2.

[17] New York Independent System Operator, Inc., Compliance Filing, Docket No. ER21-2526-001 (filed July 27, 2021).

[18] N.Y. Indep. Sys. Operator, Inc., 178 FERC  61,165 (2022) (Order No. 676-I Compliance Order).

[19] Transmittal at 2.

[20] Id. at 3 & n.1; N.Y. Indep. Sys. Operator, Inc.,151 FERC ¶ 61,157, at P 44 (2015) (Order No. 676-H Compliance Order).

[21] Transmittal at 3 & n.2; Order No. 676-I Compliance Order, 178 FERC  61,165 at P 17.

[22] Transmittal at 3.

[23] Id.

[24] Id. at 1.

[25] Id.

[26] In Order No. 676-J, the Commission stated that it would set an implementation date for the cybersecurity and PFV standards no sooner than 12 months after publication of Order No. 676-J in the Federal RegisterOrder No. 676-J, 175 FERC  61,139 at PP 49-50.  Order No. 676-J was published in the Federal Register on June 2, 2021.  We choose to set a common effective date of February 23, 2023 for all of the Order No.   676-J compliance filings, which is the issuance date of our orders accepting these compliance filings. Commission staff will reset the effective date for the tariff records in eTariff to February 23, 2023.

[27] Order No. 676-H Compliance Order, 151 FERC  61,157 at P 44.

[28] Order No. 676-I Compliance Order, 178 FERC  61,165 at P 17.

[29] The Commission will address any waiver requests that go beyond the cybersecurity and PFV standards in Version 003.3 in the Commission’s future orders that will address the second Order No. 676-J compliance filings concerning the remainder of the NAESB standards revisions in Version 003.3.

 

[30] For this compliance filing, we remind NYISO to include a higher eTariff priority code for its revised tariff records effective February 23, 2023.

[31] These sections each include a typographical error listing the WEQ Version 003.3 date as March 3020, which should be corrected to March 30, 2020.