NERC CIP: Introduction to Federal Energy Regulatory Commission (FERC)

Overview:

FERC is the direct successor to the Federal Power Commission (FPC), which was founded in 1920 to regulate interstate electricity, natural gas, and hydroelectric projects under the Federal Power Act. When the US Department of Energy (DoE) was created in 1977, the FPC was abolished and its functions were incorporated into FERC, which was, and continues to be, part of DoE. 

In reaction to the 2003 Northeast Blackout, the Electric Power Act of 2005 ordered FERC to create or contract an Electric Reliability Organization (ERO), whose purpose is to develop and audit compliance with a set of mandatory Reliability Standards for the North American power grid (Congress required this unusual relationship, since they knew that the operation of the North American power grid is far too complex and technical for an organization consisting mostly of lawyers – which is true of FERC - to regulate).

In 2006, NERC was chosen to be the ERO, most likely because the organization was already developing and auditing compliance with a set of voluntary grid reliability standards. After NERC was designated as the ERO, most of its existing reliability standards were rewritten as mandatory standards, carrying significant fines for non-compliance (non-compliance with a FERC standard can carry penalties of up to $1 million per requirement violated). NERC continues to enforce those standards, as well as others that have been written since then. 

In 2007, FERC ordered NERC to develop mandatory cybersecurity standards, which became CIP version 1 when FERC approved them in January 2008. Since that time, FERC has ordered that the CIP standards be revised many times, and that some new standards be developed (FERC must approve every new or revised standard before it can come into effect. When they do that, they often order NERC to make revisions to the standard(s) being approved, which are incorporated into new or revised standards).

While FERC plays no direct role in developing or modifying any NERC standard, FERC has developed a very knowledgeable cybersecurity staff that closely follows the NERC teams drafting those new or modified CIP standards and participates in many CIP audits as observers. This staff regularly publishes documents with observations they have made during audits and other compliance activities, without mentioning individual NERC entities. Moreover, they inform the staffs of the FERC Commissioners about important developments in cybersecurity that may require new or revised CIP standards. 

Why you should Attend:

Anyone who is involved - or would like to be involved - with compliance with NERC CIP needs to have a basic understanding of FERC and how it works. This is because FERC mostly drives the agenda NERC follows for new standards development and modifications to existing standards. Even in cases when NERC, rather than FERC, initiates development of a new standard (as is the case with the work of the current “Cloud CIP” Standards Drafting Team), FERC staff members participate in drafting team meetings and provide their personal opinions when appropriate. 

FERC staff members often participate as observers in NERC CIP audits; in a small number of cases, they have led those audits themselves. FERC observes audits primarily to gather information on how NERC entities are complying with the standards. If they uncover systematic deficiencies in compliance or risks that are not being properly addressed by current standards, they may propose a new standard or modifications to existing standards.

For example, in 2016 FERC ordered that NERC develop a supply chain cybersecurity risk management standard to address cybersecurity risks that arise through the supply chain, including the risk that purchased devices and software will contain a backdoor or other malware that could be used to attack the Bulk Electric System (BES). This resulted in a new standard CIP-013-1 coming into effect in 2020.

When FERC ordered that the supply chain standard be drafted, the risk of supply chain attacks was mostly theoretical. However, since then two major supply chain cyberattacks, NotPetya and SolarWinds, along with many others, have caused major damage worldwide. CIP-013 was clearly needed!

Since 2020, FERC has observed some audits of CIP-013 and reviewed compliance evidence submitted by NERC Entities. Those reviews convinced FERC that CIP-013 needs to be modified to fix deficiencies in supply chain risk management policies and practices. These deficiencies included the failure by many NERC Entities subject to CIP-013 compliance to make sure that vendors remediate cybersecurity deficiencies revealed in assessments conducted by the NERC entity.

Because of this, in the fall of 2024, FERC issued a Notice of Proposed Rulemaking (NOPR), asking for comments on changes to improve CIP-013. When FERC has finished evaluating those comments, they will probably put out a new Order requiring those changes.

Areas Covered in the Session:

• How FERC came about and what it does
• How FERC processes potential violations identified by NERC
• How FERC studies new threats and (sometimes) orders development of a new standard
• History of FERC and the NERC CIP standards

Who Will Benefit:

• CISO and staff, Training Department, NERC Compliance Department, T&D Operations, and other departments in target companies who are concerned with operational security and compliance
• Sales and Technical Support Departments (for vendors to the power industry)
• Individual employees who know NERC CIP is important to the company and want to learn about it to further their career

People who work in other industries (or for consulting organizations), who would like to hear what lessons can be learned from the power industry’s experience with CIP.