UNITED STATES OF AMERICA
BEFORE THE
FEDERAL ENERGY REGULATORY COMMISSION
Version 4 Critical Infrastructure)Docket No.RM11-11-000
Protection Reliability Standards
COMMENTS OF THE
ISO/RTO COUNCIL
The ISO/RTO Council (“IRC”) submits these comments in response to the Notice of Proposed Rulemaking (the “NOPR”) issued by the Federal Energy Regulatory
Commission (the “Commission”) on September 15, 2011, in this proceeding.1
I.BACKGROUND AND INTRODUCTION
Issued on January 18, 2008, Order No. 706 approved eight Critical Infrastructure
Protection Reliability Standards (“CIP Standards”) developed by the North American
Electric Reliability Corporation (“NERC”), as well as the implementation plan that set
the milestones for responsible entities to achieve full compliance with the CIP
Standards.2 Order No. 706 also directed NERC: (i) to modify the CIP Standards through
its Reliability Standards development process to address specific concerns identified by
the Commission; (ii) to create a timetable to develop the CIP Standards modifications;
and, if warranted, (iii) to develop and file with the Commission a second implementation.
On May 16, 2008, the Commission issued Order No. 706-A addressing, among other things, requests for clarification of certain provisions of Order No. 706, including, in pertinent part, that of the IRC. The IRC’s clarification request focused on Order No.
1 Version 4 Critical Infrastructure Protection Reliability Standards, 136 FERC ¶ 61,184 (2011).
2 Mandatory Reliability Standards for Critical Infrastructure Protection, Order No. 706, 122 FERC
¶ 61,040, order on reh’g, Order No. 706-A, 123 FERC ¶ 61,174 (2008), order on clarification, Order No. 706-B, 126 FERC ¶ 61,229 (2009).
DMEAST #14273133 v6
706’s requirement that NERC consider developing an external review mechanism by
which an entity with a “wide area” view provides oversight of a user, owner or operator’s
determination regarding which of its assets are critical assets.3 In Order No. 706-A, the
Commission agreed with the IRC that if a third party is tasked with reviewing whether a
Responsible Entities’ assets are “Critical Assets” for purposes of the CIP Standards, that
review should be: (i) a limited one, and (ii) subject to the same liability protections that
the Electric Reliability Organization (“ERO”) would have, if the ERO were conducting
the review.4
In the NOPR, the Commission proposes to approve Version 4 of the CIP
Standards (CIP-002-4 through CIP-009-4), among other reliability standards.5
Recognizing Version 4 of the CIP Standards as an “interim step” to address the
Commission’s directives in Order No. 706, the Commission also seeks comments on the proposal to establish a deadline for NERC to satisfy such directives, as well as other potential approaches to identify Critical Cyber Assets.6
The IRC’s comments center on proposed Standard CIP-002-4, and in particular
Attachment 1 of that Standard. Attachment 1 provides criteria for identifying Critical
Assets on the Bulk Electric System. As described in the NOPR, the Attachment 1
Criteria are intended to establish uniform, bright-line tests for identifying Critical Assets.7
3 See Mandatory Reliability Standards for Critical Infrastructure Protection, Request of ISO/RTO Council for Clarification; Docket No. RM06-22-001 (filed Feb. 19, 2008) (“IRC Request”).
4 See Order No. 706-A at P 53.
5 See NOPR at P 19.
6 Id. at P 20.
7 Id. at PP 12, 15.
DMEAST #14273133 v62
In these comments, the IRC raises specific concerns about Criteria 1.3 and 1.4. They provide that the following, among others, are considered Critical Assets:
1.3 Each generation Facility that the Planning Coordinator or
Transmission Planner designates and informs the Generator Owner or Generator Operator as necessary to avoid BES Adverse Reliability Impacts in the long-term planning horizon.
1.4Each Blackstart Resource identified in the Transmission
Operator’s restoration plan.
The concerns raised about Criteria 1.3 and 1.4 demonstrate that Version 4 CIP-002-4
warrants additional clarification and direction to ensure uniform implementation. To the
extent that the Commission approves Standard CIP-002-4, additional guidance or
direction to NERC on how to exercise discretion on enforcement and implementation
issues given the potential overlap and possible conflict with impending Version 5 of the
standard is needed.
II. IDENTIFICATION OF FILING PARTY; COMMUNICATIONS
The IRC is comprised of the Alberta Electric System Operator (“AESO”);
California Independent System Operator (“CAISO”); Electric Reliability Council of
Texas (“ERCOT”); the Independent Electricity System Operator of Ontario, Inc.
(“IESO”); ISO New England Inc. (“ISO-NE”); Midwest Independent Transmission
System Operator, Inc. (“MISO”); New York Independent System Operator, Inc.
(“NYISO”); PJM Interconnection, L.L.C. (“PJM”); Southwest Power Pool, Inc. (“SPP”);
and New Brunswick System Operator (“NBSO”).8 The IRC’s mission is to work
collaboratively to develop effective processes, tools and standard methods for improving
the competitive electricity markets across North America. In fulfilling this mission, it is
8 The AESO, IESO, and NBSO are not subject to the Commission’s jurisdiction, and are not joining in these comments.
DMEAST #14273133 v63
the IRC’s goal to provide a perspective that balances reliability standards with market practices so that each complements the other, thereby resulting in efficient, robust markets that provide competitive and reliable service to customers.
III.COMMENTS
The IRC supports the efforts to establish a uniform system of Critical Asset
identification. Version 4 is, however, an “interim step” in the continuing development of
CIP Standards and, based on the NOPR, the Commission is entertaining providing
additional input to NERC on the future development of CIP Standards. As a result, in
these comments, the IRC highlights certain aspects of Standard CIP-002-4 that warrant
additional clarification or direction in order for the Standard to meet the stated goal of
establishing uniform, bright-line criteria for identifying Critical Assets on the Bulk
Electric System.
Although the goal of the Standard CIP-002-4, Attachment 1 is to provide a
uniform, bright-line standard for identifying Critical Assets, some of its provisions
conflict with this goal. Criterion 1.3, for example, could be interpreted as shifting to a third party (such as Planning Coordinators and Transmission Planners) the responsibility to determine whether a generation facility constitutes a Critical Asset. Furthermore,
given the lack of detail in the Criterion, it is susceptible to multiple interpretations. In addition, Criterion 1.4 establishes that all Blackstart Resources identified in the
Transmission Operator’s Restoration Plan are “Critical Assets,” but the NERC
Compliance Registry Criteria states that only those Blackstart Resources that are
“material to” the Restoration Plan are covered.
Accordingly, Version 4 of CIP-002 warrants additional clarification and direction to address the issues detailed herein and in furtherance of NERC’s overall efforts to
DMEAST #14273133 v64
comply with Order No. 706. To the extent that the Commission approves Version 4 of CIP-002, the IRC requests that the Commission provide guidance or direction to NERC on how to exercise discretion on enforcement and implementation issues given the
potential overlap and possible conflict with Version 5 of the standard.
A. If CIP-002, Attachment 1 is Intended to Place Any Responsibility on
Third Parties Related to the Designation of “Critical Asset”, Then Per Order No. 706-A, These Third Parties Should Receive the Same
Liability Protection as NERC
Per Order Nos. 706 and 706-A, the CIP Standards stem from the principle that
each entity is responsible for designating facilities it owns as “Critical.”9 At the same
time, the Commission has long recognized that there may be a role for other entities, such as NERC or the Regional Entities, to provide guidance or oversee individual companies’ methodologies for designating their facilities. More specifically, Order No. 706
envisioned that NERC or the Regional Entities would provide such guidance through the development of an “external review” process to supplement compliance and monitoring processes.10 Order No. 706, however, noted that if NERC or the Regional Entities
concluded that they were not capable of conducting this exercise, they could delegate this responsibility to Reliability Coordinators.11
As briefly mentioned above, in response to Order No. 706, the IRC commented
that if NERC delegates this oversight role to Reliability Coordinators, then NERC would
9 See Order No. 706 at P 319 (affirming “that responsibility for identifying critical assets should not be
shifted to the Regional Entity or another organization instead of the applicable responsible entities
identified in the current CIP Reliability Standards.”); see also Order No. 706-A at PP 33-35 (recognizing
that entities without a “wide-area view” are entitled to request technical assistance from NERC or the
Regional Entities); see id. at P 35 (“The fact that the Commission has directed the ERO to provide
reasonable technical support does not shift this responsibility from the responsible entity to whatever entity
provides the technical support.”).
10 See Order No. 706 at P 324.
11 Id. at P 255.
DMEAST #14273133 v65
be asking Reliability Coordinators, in effect, to undertake a duty normally performed by
the Regional Entities.12 The IRC stated that if its members were, in fact, designated this
role, they should receive the same liability protections afforded to NERC or the Regional
Entities.13 The Commission granted the IRC’s clarification. In particular, the
Commission stated:
[W]e agree that entities designated by the ERO to perform
reviews of a responsible entity’s critical asset list should
receive the same liability protection for performing this
review that the ERO or Regional Entity would have if it
performs this review itself. The responsibility for properly
identifying all of a responsible entity’s critical assets and
critical cyber assets and adequately protecting those assets
rests firmly with the responsible entity. The fact that the
Commission has directed the ERO to develop an external
review process -- as a backup to help assure that the
responsible entity does not overlook any critical assets --
does not shift this responsibility from the responsible entity
to whatever entity conducts the external review.14
As discussed in Section V.B, below, certain Criteria listed in Attachment 1 of the
CIP-002-4 could be interpreted as placing primary responsibility for or creating an
implied obligation related to designating facilities as critical on third parties without the
protections addressed in Order No. 706-A. As such, the Commission should consider
providing additional guidance in its order addressing Version 4 of CIP-002 or future
versions of the CIP Standards, or if necessary, remand specific provisions of CIP-002. In
particular, the Commission should clarify that the Criteria set forth in Attachment 1 does
not shift the responsibility for designating Critical Assets from the Responsible Entities to
a third party, such as Planning Coordinators and/or Transmission Planners.
12 See IRC Request at 7-8; see also Order No. 706-A at PP 48-49.
13 Id. at 7-8.
14 Order No. 706-A at P 53 (emphases added).
DMEAST #14273133 v66
To the extent that any oversight responsibility is being delegated, it should be
recognized that a Planning Coordinator or Transmission Planner, if required to evaluate
which generation facilities constitute Critical Assets, will not be in a position to take into
account the interconnectivity amongst and between multiple generation facilities.
Because the Planning Coordinator or Transmission Planner will not know whether there
is a common point of vulnerability among multiple generation facilities, the Planning
Coordinator or Transmission Planner may conclude that no one generation facility is
“necessary to avoid BES Adverse Reliability” as contemplated in Criterion 1.3. Such a
result is undesirable. In fact, from a risk management perspective, a single point of
vulnerability may implicate numerous generation facilities, thereby impacting grid
reliability.
B. Version 4 of CIP-002-4 Warrants Additional Clarification and
Direction to Ensure a Uniform Implementation for Identifying Critical Assets
In the NOPR, the Commission proposes to approve the proposed Version 4 of
CIP-002, because that Standard “replace[s] the current risk-based methodology with
uniform, bright line criteria, which will be used by all responsible entities to identify
Critical Assets.”15 Those bright line criteria are listed in Attachment 1 to CIP-004-2,
Requirement R1.16 Although the IRC concurs with the goal of having a uniform system
of Critical Asset identification, as explained below, Attachment 1’s Criteria 1.3 and 1.4
could be interpreted in a manner that is inconsistent with this goal. Criteria 1.3 and 1.4
warrant additional clarification and direction for their implementation to lead to uniform
results.
15 See NOPR at P 26.
16 Id. at P 15.
DMEAST #14273133 v67
1.The Commission Must Clarify That Criterion 1.3 Does Not Make
Planning Coordinators and Transmission Planners Responsible
for or Have an Implied Obligation to Identify Generation Facilities as Critical Assets
Attachment 1, Criterion 1.3 provides that “[e]ach generation Facility that the
Planning Coordinator or Transmission Planner designates and informs the Generator
Owner or Generator Operator as necessary to avoid BES Adverse Reliability Impacts in
the long-term planning horizon” will constitute a Critical Asset. Consistent with prior
Commission orders and the NOPR, the IRC interprets this Criterion as placing primary
responsibility on a Responsible Entity (in this case, the Generator Owner or Operator) to
designate its own assets (in this case, a generation facility) as “critical.”17 By referring to
“[e]ach generation Facility that the Planning Coordinator or Transmission Planner
designates,” however, the Criterion could be interpreted as placing the designation
responsibility on the Planning Coordinator or Transmission Planner. The Commission,
therefore, should clarify Criterion 1.3 so as not to shift the responsibility to or create an
implied obligation on a Planning Coordinator or Transmission Planner to designate
facilities as “Critical.” As discussed above, such an interpretation, absent the appropriate
protections or guidance, would be inconsistent with Order Nos. 706 and 706-A and could
lead to non-uniform approaches, as more fully described below.
17 The Standard Drafting Team (“SDT”) comments also support this view. The SDT stated that “there is no burden or obligation placed on the Planning Coordinator or Transmission Planner to designate any unit as needed to avoid Adverse Reliability Impacts in the long-term planning horizon. However, if the PC or TP has identified Adverse Reliability Impacts (the impact of an event that results in frequency-related
instability; unplanned tripping of load or generation; or uncontrolled separation or cascading outages that affects a widespread area of the Interconnection), then any units identified that avoid this scenario must be classified as a Critical Asset.” See “Consideration of Comments on Successive Ballot for Cyber Security 706 - CIP Version 4 Standards” (Dec. 10, 2010), available at:
http://www.nerc.com/docs/standards/sar/Project_2008-
06_Successive_Ballot_Comment_Report_CIP_V4_20101210-1216.pdf.
DMEAST #14273133 v68
2.Additional Clarification and Direction is Warranted to Ensure
Uniformity in Implementation of Criterion 1.3
a. Criterion 1.3, on its face, Does Not Ensure Uniformity
Attachment 1, Criterion 1.3 does not stipulate a uniform methodology a Planning Coordinator or Transmission Planner should use. The Criterion provides for a
Responsible Entity to designate as “Critical Assets” a generation facility that has been
determined by the Planning Coordinator or Transmission Planner to be necessary for BES Adverse Reliability Impacts in the long-term planning horizon, but it does not address
how or under what function the Planning Coordinator or Transmission Planner is to make such a designation. This means that Planning Coordinators or Transmission Planners
might use different methodologies, thereby falling short of the Commission’s stated goal of Standard CIP-002-4 establishing “bright line” criteria.
A supporting document published by the SDT does not support uniformity either. To the extent that NERC intends to enforce compliance with the Standard through
reliance on the “Rationale and Implementation Reference Document” (“RIFD”),18 the RIFD presents problems in its own right.
The RIFD states, in pertinent part:
the drafting team chose to avoid using [the term “reliability
must run”] and instead drafted the requirement in more
generic reliability language. In particular, the focus on
preventing an Adverse Reliability Impact dictates that these
units are designated as must run for reliability purposes
beyond the local area. Those units designated as must run
for voltage support in the local area would not generally be
given this designation. In cases where there is no
designated Planning Coordinator, the Transmission Planner
18 As part of the Standard CIP-002-4 drafting effort, the Standard Drafting Team published the “Rationale and Implementation Reference Document” (RIFD”) to provide further information about the Standard Drafting Team’s expectations. The RIFD is available at:
http://www.nerc.com/docs/standards/sar/Project_2008-06_CIP-002-4_Guidance_clean_20101220.pdf
DMEAST #14273133 v69
is included as the Registered Entity that performs this designation. (emphases added).
The RIFD continues:
[i]f it is determined through system studies that a unit must run in order to preserve the reliability of the BES, such as due to a category C3 contingency as defined in TPL-003 or a category D contingency as defined in TPL-004, then that unit must be classified as a Critical Asset.
Because the structure and wording of Criterion 1.3 changed throughout the
drafting, the RIFD reflects a number of issues that remain ambiguous.19
Given the lack of detail in Criterion 1.3, there is an initial question about whether NERC intends the RIFD to add enforceable terms to the Standard. To the extent this is the case, the Commission should not endorse reliance on the RIFD to support its goal of establishing a “bright-line” criteria.
Moreover, there are specific concerns with the RIFD. First, the RIFD is
problematic in that it uses “local area” terminology. The Commission should not endorse
reliance on the RIFD because, in Order Nos. 743 and 743-A,20 the Commission dismissed
19 For example, the December 2009 Draft of CIP-002-4, Criterion 1.3 read: “Each Generation Subsystem
that has been pre-designated as Reliability ‘must run’ units.” This draft is available at
http://www.nerc.com/docs/standards/sar/CIP-002-4_2009Dec29.pdf, and the concerns raised with the
“must run” terminology are available at
http://www.nerc.com/docs/standards/sar/Comment_Report_Project2008-06_CIP-002-
4_Informal_2010May3.pdf. The October 2010 Draft of CIP-002-4, Criterion 1.3, which are available at
http://www.nerc.com/docs/standards/sar/Project_2008-06_CIP-002-4_clea_revised_Oct_19.pdf, read:
“Each generation Facility that the Planning Coordinator or Transmission Planner designates as required for reliability purposes.” Concerns with the ambiguity of the proposed terminology - “reliability purposes” where also raised and those are available
http://www.nerc.com/docs/standards/sar/Ballot_Report_Project_2008-06_20101130.pdf.
20 Revision to Electric Reliability Organization Definition of Bulk Electric System, Order No. 743, 75 Fed. Reg. 72,910 (Nov. 26, 2010), 133 FERC ¶ 61,150 (2010); order on reh’g, Order No. 743-A, 134 FERC
¶ 61,210 (2011).
reliance on “local area” terminology, explaining that it failed to assure uniform approaches.21
Second, the RIFD, on its own terms, does not establish a “bright-line”
methodology and is susceptible to multiple interpretations. For example, some Planning
Coordinators or Transmission Planners assume generation facilities “out of service” as
part of its long-term planning assessments. ISO-NE, for instance, builds in generation
unavailability in its base case, so that the identified long-term planning solutions are
robust enough to ensure that the operation of the system is not dependent upon any single
generator. These Planning Coordinators or Transmission Planners are unlikely to identify
any generation facilities as necessary to avoid Adverse Reliability Impacts for Category
C contingencies (as the RIFD suggests). However, for those Planning Coordinators or
Transmission Planners that do not assume generation is out-of-service as part of their
base case when they are developing long-term transmission solutions, they may identify
generation facilities as necessary.
The RIFD is also unclear due to the use of the term “such as” as to whether or not
the scope of evaluation is limited to Category C3 and D, or if these are examples. While
the disparate impact on Generation Owners or Operators for CIP purposes is clear, it may
or may not be appropriate depending on the Commission’s expectations regarding CIP
protection.
21 See Order 743-A at P 44 (in the context of a “material impacts test” that NPCC used to determine the Bulk Electric System, the Commission concluded that “These flaws include use of the amorphous term “local area,” which was not consistently applied throughout the NPCC region… [T]he subjectivity of the ‘local area’ definition, which ultimately determines whether or not a facility is classified as part of the bulk electric system, has led to varying results throughout the NPCC region”).
Third, the RIFD refers a Planning Coordinator or Transmission Planner to assess the impact of generation loss when conducting assessments under TPL-004, category D contingencies. The value of this approach is uncertain, because TPL Standards are
explicit that whatever the results of these system assessments, the results do not require system solutions. Even more importantly, the system is rarely dispatched in order to prevent adverse consequences from category D contingencies, suggesting that this
evaluation may not have a material impact on reliability.
Finally, Criterion 1.3 and the RIFD also are unclear as to how to handle many of
the most common occurrences where generation must be operated in order to preserve the
integrity of the BES. In many portions of the system, a single generation facility may not
be necessary for the reliable operation of the BES. However, there may be a need to run
a generation facility in an area, but it may be one of many available choices in that area.
It is not clear if all of these generation facilities fall under the Criterion, or if none of
them do since the system can be operated without the presence of an individual facility.
b. Criterion 1.3 Creates the Potential for Conflicting
Determinations by a Planning Coordinator and a Transmission Planner
Criterion 1.3 refers to “Planning Coordinator or Transmission Planner” without
explicitly addressing what result the Generator Owner or Generation Operator should
follow in the event that the Planning Coordinator and the Transmission Planner come to
different conclusions. As written, the Criterion suggests that so long as either the
Planning Coordinator or the Transmission Planner concluded that the generation facility
is necessary to avoid BES Adverse Reliability Impacts in the long-term planning horizon,
then the Generator Owner or Generator Operation shall deem it as “Critical Asset”. The
RIFD, however, states that the Transmission Planner only has authority when there is no
Planning Coordinator. If this is how the language is to be interpreted, the Criterion itself should be explicit on what happens when there are a Planning Coordinator and a
Transmission Planner.
c. Criterion 1.3 is Inconsistent with Order No. 733 in that it
Fails to Provide Generator Owners and Operators a Clear Appeals Process
In Order No. 733, the Commission ordered NERC to develop a mechanism by
which companies could challenge determinations made by Planning Authorities
regarding the criticality of facilities for purposes of PRC-023.22 NERC, however, has not
provided a mechanism by which Generator Owners or Generation Operators may
challenge the decision of a Planning Coordinator or Transmission Planner.
In many areas of the country, the Planning Coordinator or Transmission Planner will be a different entity than the Generator Owner or Generator Operator. Because there is a mixing of parties’ responsibilities in the Criterion, the Commission needs to consider how to address the rights of Generator Owners or Generator Operators in the context of designations under the CIP Standards, or otherwise explain why the Generator Owner or Generator Operator has no rights to challenge the Planning Coordinator or Transmission Planner’s determination.
3. Additional Clarification is Warranted with Respect to Criterion 1.4
as It Appears to Alter the NERC Compliance Registry Standard for Determining Blackstart Critical Assets
Criterion 1.4 provides that “[e]ach Blackstart Resource identified in the
Transmission Operator’s restoration plan” constitutes a Critical Asset. This Criterion
22 See Order No. 733 at P 97 (“Finally, commenters argue that there should be some mechanism for entities to challenge criticality determinations. We agree that such a mechanism is appropriate and direct the ERO to develop an appeals process (or point to a process in its existing procedures) and submit it to the
Commission no later than one year after the date of this Final Rule.”).
appears to conflict with the test provided in the NERC Statement of Registry Criteria and should therefore be clarified.
The NERC Statement of Registry Criteria suggests that blackstart units that are
not “material to” an entity’s restoration plan are not covered by NERC Standards. It
states that entities “being subject to registration as an LSE, DP, GO, GOP, TO, or TOP
should be excluded from the registration list for these functions” if they do not meet any
of the listed criteria.23 In pertinent part, the criteria states: “Any generator, regardless of
size, that is a blackstart unit material to and designated as part of a transmission operator
entity’s restoration plan.”24 As a result, some Regional Entities may have determined
that certain blackstart units are not material to the Transmission Operator’s restoration
plan, and are therefore, presumably, not covered by NERC Standards.
With the introduction of Criterion 1.4, the question raised, therefore, is whether CIP-002 is meant to apply to all blackstart units covered by NERC Standards per the Statement of Registry Criteria or whether it applies to all Blackstart Resources. If it is the latter, further clarification is warranted as to: (i) whether the Statement of Registry Criteria must be revised to eliminate the reference to “material to” and (ii) whether these blackstart generation facilities will therefore be subject to all NERC Standards.
C. Comments on the Commission’s Proposal to Establish a Deadline for
Addressing Order No. 706’s Directives and Other Approaches to Identify Critical Cyber Assets
Recognizing Version 4 of the CIP Standards as an “interim step” to address the
Commission’s directives in Order No. 706, the Commission also seeks comments on the
23 NERC Statement of Compliance Registry Criteria (Revision 5.0) at 6 (Oct. 16, 2008), available at
http://www.nerc.com/files/Statement_Compliance_Registry_Criteria-V5-0.pdf.
24 Id. at 8.
proposal to establish a deadline for NERC to satisfy such directives, as well as other potential approaches to identify Critical Cyber Assets.25 More specifically, the
Commission seeks comments on:
(1) the proposal to establish a deadline using NERC’s
development timeline for the next version of the CIP
Reliability Standards; (2) how much time NERC needs to
develop and file the next version of the CIP Reliability
Standards; (3) other potential approaches to Critical Cyber
Asset identification; and (4) whether the next version is
anticipated to satisfy all of the directives in Order No.
706.26
The IRC offers the following comments.
1. Additional Guidance and Direction is Needed Given the Potential
Overlap and Conflicts with Impending Version 5 of the Standards
Given the potential overlap and possible conflicts between Version 4 and Version
5 of the CIP Standards, to the extent that the Commission approves Version 4, the IRC requests that the Commission provide additional guidance to NERC on how to exercise discretion on enforcement and implementation issues.
In the NOPR, the Commission proposes to “establish NERC’s current
development timeline” as deadline for addressing all of the directives in Order No. 706.27
According to the NOPR, “NERC anticipates submitting the next version of the CIP
Reliability Standards [i.e., Version 5] to the NERC Board of Trustees by the second
quarter of 2012, and filing that version with the Commission by the end of the third
quarter of 2012.”28
25 See NOPR at 20.
26 Id.
27 Id. at 67.
28 Id. at P 66.
It is not unreasonable to establish a deadline for addressing all of the directives in
Order No. 706, and the IRC supports establishing such a deadline, as long as sufficient
time for stakeholder input is afforded. However, NERC’s proposed timeline raises
concerns. The timing and proposed implementation for both Version 4 and impending
Version 5 of the Standard appear to show a rush to get revised standards issued or to
issue standards that address some issues instead of issuing one set of complete,
appropriate standards. To illustrate, Version 4 was issued with an abbreviated comment
period held in parallel with a successive ballot to support a goal of completing revisions
prior to the end of 2010. It is not good practice to issue standards that immediately
require clarification and interpretation - as in the case for Version 4 and is likely to be the
case for Version 5 - in order to be able to implement the standard as intended. The
proposed schedule may present an unnecessary burden to many entities with little added
benefit, as well as challenges for auditors and entities in maintaining documentation to
support audits.
2.The Commission’s Concerns with Respect to Cyber Asset
Connectivity Should Addressed
In Paragraph 43 of the NOPR, the Commission states that:
in light of recent cybersecurity vulnerabilities, threats and
attacks that have exploited the interconnectivity of cyber
systems, the Commission seeks comments regarding the
method of identification of Critical Cyber Assets to ensure
sufficiency and accuracy. The Commission recognizes
that control systems that support Bulk-Power System
reliability are “only as secure as their weakest links,” and
that a single vulnerability opens the computer network and
all other networks with which it is interconnected to
potential malicious activity. Accordingly, the Commission
believes that any criteria adopted for the purposes of
identifying a Critical Cyber Asset under CIP-002 should be
based upon a Cyber Asset’s connectivity and its potential to
compromise the reliable operation of the Bulk-Power
System, rather than focusing on the operation of any
specific Critical Asset(s). The Commission seeks
comments on this approach.
The Commission’s concerns with connectivity are valid and should be addressed.
In this respect, the IRC offers that certain Asset Owners and Operators adopt a “mutual
distrust” posture with other Bulk Power System assets and, therefore, the connectivity of
these other assets does not compromise the Asset Owners’ and Operators’ security. If
other Asset Owners and Operators adopt a “mutual distrust” posture among their
individual units that have inter-connectivity, then the Commission’s concerns should be
addressed. If they do not, then the Commission is correct to note that a Cyber Asset’s
connectivity among multiple transmission or generation facilities may compromise the
reliable operation of the grid.
IV.CONCLUSION
The IRC respectfully request that the Commission formulate the final rule in this
proceeding in a manner consistent with the comments submitted herein.
Respectfully submitted,
/s/ Craig Glazer
Craig Glazer
Vice President - Federal Government Policy Steven R. Pincus
Assistant General Counsel
PJM Interconnection, LLC
1200 G Street, N.W. Suite 600 Washington, D.C. 20005
/s/ Stephen G. Kozey
Stephen G. Kozey
Vice President, General Counsel, and Secretary
Midwest Independent Transmission System Operator, Inc.
P.O. Box 4202
Carmel, Indiana 46082-4202
/s/ Anthony Ivancovich
Anthony Ivancovich
Assistant General Counsel-Regulatory
California Independent System Operator Corporation
151 Blue Ravine Road
Folsom, California 95630
_/s/Monica Gonzalez
Raymond W. Hepper
Vice President, General
Counsel, and Secretary
Theodore J. Paradise
Assistant General Counsel - Operations and Planning
Monica Gonzalez, Esq.
Senior Regulatory Counsel
ISO New England Inc.
One Sullivan Road
Holyoke, MA 01040-2841 Tel: (413) 535-4000
Fax: (413) 535-4379
E-mail: mgonzalez@iso-ne.com
/s/ Paul Suskie
Paul Suskie
Sr. VP - Regulatory Policy and General Counsel
Southwest Power Pool, Inc
415 North McKinley, Suite 140 Little Rock, AR 72205
/s/ Carl F. Patka
Carl F. Patka
Assistant General Counsel Raymond Stalter
Director, Regulatory Affairs
New York Independent System Operator,
Inc.
10 Krey Blvd
Rensselaer, New York 12144
