It’s confirmed. As mentioned by Kevin Perry, Tom Alrich and Peter Behr, the Federal Energy Regulatory Commission (FERC) will be performing their own audits of the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection Standards (CIPS) in 2016. It sounds like they will be choosing entities that are already on the 2016 audit cycle and will likely continue this practice into 2017, possibly beyond. Given the FERC staffing level, I would expect something on the order of 7-8 audits per year.
I’ve been able to get a little more information from my contacts at FERC and ex-FERC staffers with knowledge of the approach. I’m hearing that the strongest focus will be on the application of CIP-002-5 and the resulting Bulk Electric System (BES) Cyber Systems (and/or BES Cyber Assets). I’m not getting any indications that FERC will be overly strict or dig any deeper than the NERC Regions currently do in their audits.
I do expect FERC to sample all types of utilities ranging from the big Investor Owned Utilities, to the municipals/publics, the cooperatives and even the independent power producers. FERC has shown a tendency to gather information from all interested parties and not just focus on a single “demographic” under their purview.
No, FERC is not taking over the audit process. CIP Compliance Audits are still a NERC/Regional thing and no changes to the current model are expected for the foreseeable future. FERC has always had the authority to perform their own audits so this is well within their scope. However, historically, when FERC participated in an audit they were (ostensibly) there to audit NERC and/or the Region performing the audit of any given utility company – and not auditing the utility directly. This “new” approach is an independent audit of the utility, not necessarily involving NERC or any Region.
What could go wrong? I see (at least) a couple of interesting areas for potential unintended consequences of this activity…
First, FERC may have a different perspective (interpretation) on what the language in the CIP standards means to them. I hesitate to use the word “interpretation” because that has a special regulatory meaning but it still applies. The industry is already struggling with the NERC and Regional interpretive and guidance processes. Adding FERC to this mess may muddy the water even more. Another view on this is that it may actually normalize the interpretations and guidance because we will finally know how FERC understands the language.
The second area of interest is the Compliance Monitoring and Enforcement Program (CMEP). Will FERC follow the NERC CMEP or will they do something different. And if so, how far from NERC’s process will it be? If/when FERC finds a violation, what will the process look like? Will the penalties be steeper?
Why is FERC doing this? Some speculate that FERC is flexing their muscle and trying to send a message that they are still in control. Some say that FERC doesn’t have high confidence in what they are getting from NERC so they want to go see for themselves where the industry stands with respect to CIP compliance. Some say that FERC is positioning to increase the scope of the standards to cover more of the industry. In short, none of the speculation is positive and there is a lot of fear, uncertainty and doubt (FUD) about this whole thing. FUD makes people do crazy things, so expect some wackiness as this starts to gain traction.
I, for one, think this is a good thing. Having FERC actively engaged may be challenging at first, but the long term effect will mean a more informed and involved regulator. I am hopeful that this will increase the likelihood of better regulation.