Media Statements & Speeches
Commissioner Cheryl A. LaFleur Statement
November 21, 2013
Docket Nos. RM13-5-000, RM13-12-000, RM13-14-000, RM13-15-000, and RM13-8-000
Item Nos. E-2, E-3 & E-4
Multiple Reliability Orders
“The reliability orders on today’s agenda address matters critical to the reliability of the bulk electric system. Three of today’s orders also have broader implications for NERC’s efforts to reform its standards development process and enforcement processes.
“Over the last year, NERC has implemented two significant policy initiatives. One involves an approach to drafting standards that emphasizes efficiency, attention to risk, and avoidance of redundant requirements. The other is an effort to shift the focus of enforcement away from tallying individual violations and instead fix it on the quality of a company’s internal controls and compliance program. These initiatives complement one another. If the standards are written efficiently to require performance results rather than documentation, there will be less confusion and fewer violations of a purely administrative character. At the same time, when there are minor violations that do not significantly affect the grid, NERC’s expressed intent is that they can be addressed by a review of an entity’s compliance program rather than in an resource-intensive adversarial proceeding on each violation.
“Today’s orders on cyber security, the TOP and IRO standards, and NERC’s petition to retire certain reliability requirements speak not only to the particular matters at issue in those proceedings, but also to both of these initiatives. I strongly support NERC’s efforts in both the standards and enforcement areas, but emphasize that for them to be successful the standards themselves must be clear, enforceable, and technically justified.
E-2 CIP 5 Order
“Today’s order substantially approves Version 5 of the Critical Infrastructure Protection (CIP) Standards. Version 5 is a significant step forward for cyber security. For the first time, all bulk electric system cyber assets will be required to receive some level of protection, commensurate with their impact on the grid. This advancement, combined with several new cyber security controls developed by NERC, puts into place the most comprehensive cyber protections yet approved by the Commission.
“Although the Version 5 Standards are a significant improvement over the previously effective standard, the Commission directs two modifications that I would like to note. First, the Commission directs removal of language that requires certain CIP requirements to be implemented in a manner that “identifies, assesses, and corrects” deficiencies. Commenters disagreed over the obligations imposed by this language, highlighting its inherent ambiguity and underscoring the Commission’s previously stated concerns about its enforceability and consistent application across regions.
“As I have remarked on other occasions, all involved in the ERO enterprise must have a common understanding of the obligations imposed by reliability standards. Otherwise, we risk creating gaps in reliability, confusion during audits, and a compliance backlog that diverts resources away from improving reliability. And, while I strongly support NERC’s effort to reform its enforcement process, enforcement considerations should not cause the standards themselves to be ambiguous.
“Second, the Commission requires NERC to develop objective criteria against which NERC and the Commission can evaluate the sufficiency of entities’ cyber protections for low impact assets. Some commenters argued against such a modification on the grounds that it would increase their administrative burden without increasing reliability. While by definition low impact facilities do not pose as great a risk to the bulk electric system as high or medium impact facilities, the lack of clear standards against which NERC and the Commission can evaluate entities’ protections for low impact facilities undermines one of the most important improvements in the Version 5 Standards: the requirement that all bulk electric system cyber assets receive a defined level of protection commensurate with their impact on the system. It also introduces an unacceptable level of ambiguity and potential inconsistency into the compliance process and creates an unnecessary gap in reliability.
“However, the order does not require NERC to develop a list of specific controls for low impact facilities. NERC is free to respond to our directive by developing such a list, but it has the flexibility to address our concerns through other means. For example, NERC could define an appropriate set of control objectives for low impact assets, subdivide low impact assets into different categories with different defined controls or control objectives applicable to each subcategory, or define with greater specificity the policies that responsible entities must have in order to comply with CIP-003-5, Requirement R2. NERC may also propose an alternative approach that addresses our concern in an equally efficient and effective manner.
E-3 Order on TOP and IRO Standards
“Our order on the TOP and IRO standards also has broader implications for NERC’s ongoing efforts to improve the standards development process. NERC proposed revisions to the currently effective standards with the intent to combine similar requirements, clarify entities’ responsibilities, and eliminate redundant or ineffective requirements. I agree with these goals and encourage NERC to continue to find ways to improve the reliability standards.
“However, NERC’s proposal in this instance goes further and eliminates transmission operators’ current obligation to monitor and operate within all system operating limits. For example, if they are not designated as interconnection reliability operating limits, NERC’s proposal would exclude from monitoring certain system operating limits within one transmission operator’s area that impact another transmission operator’s area. As the order explains, experience, including the 2011 Southwest Blackout, indicates that even system operating limits that are not designated as interconnection reliability operating limits can initiate an outage or contribute to deteriorating conditions. In short, we cannot always foresee what operating limits will be critical in an emergency. Therefore, we propose to remand the standards, but give NERC and other commenters an opportunity to respond to this and other concerns we raise in the order.
E-4 Order on Proposal to Retire Standards
“The proposal to remand the TOP and IRO standards should not be mistaken as a lack of support for NERC’s ongoing efforts to streamline and improve reliability standards. In today’s order approving NERC’s petition to retire certain reliability requirements, the Commission makes clear that it agrees with NERC’s plan to consolidate, retire, and otherwise streamline requirements through the standards development process
“I believe that, taken a whole, today’s orders signal broad support for NERC’s efforts to revamp the standards development and enforcement processes, but caution with respect to the details. I look forward to continuing to work with my fellow Commissioners, NERC, the regional entities, and industry stakeholders on these important efforts in an order to make the work of the ERO enterprise more efficient and sustainable.”