FERC Order 848, cyber security and reliability

U.S. energy regulators have issued an order directing the nation's electric reliability organization to strengthen its standards for the mandatory reporting of cyber security incidents.

Federal law authorizes the Federal Energy Regulatory Commission to regulate significant aspects of the bulk electric system's reliability. The Commission's jurisdiction over reliability covers the nation's electric reliability organization, North American Electric Reliability Corporation (NERC), which is charged with developing and submitting mandatory reliability standards for the Commission for approval.

Following increased concern over cybersecurity and hacking affecting utilities, in 2017 the Commission issued a Notice of Proposed Rulemaking proposing to direct that NERC develop enhanced Cyber Security Incident reporting requirements. At that time, then-current reliability standards generally required responsible entities to report Cyber Security Incidents only if they have “compromised or disrupted one or more reliability tasks. But the Commission expressed a concern that this reporting threshold "may understate the true scope of cyber-related threats facing the Bulk-Power System, particularly given the lack of any reportable incidents in 2015 and 2016." As a result, the Commission proposed requiring NERC to develop and submit modifications to its reliability standards, to require the reporting of cyber security incidents that compromise, or attempt to compromise, certain security infrastructure.

On July 19, 2018, the Federal Energy Regulatory Commission issued its Order No. 848. Through that order, the Commission adopted its own proposal to "improve awareness of existing and future cyber security threats and potential vulnerabilities." As described by the Commission, Order No. 848's directive consists of four elements:

1. responsible entities must report Cyber Security Incidents that compromise, or attempt to compromise, a responsible entity’s Electronic Security Perimeter (ESP) or associated Electronic Access Control or Monitoring Systems (EACMS);
2. required information in Cyber Security Incident reports should include certain minimum information to improve the quality of reporting and allow for ease of comparison by ensuring that each report includes specified fields of information;
3. filing deadlines for Cyber Security Incident reports should be established once a compromise or disruption to reliable BES operation, or an attempted compromise or disruption, is identified by a responsible entity; and
4. Cyber Security Incident reports should continue to be sent to the Electricity Information Sharing and Analysis Center (E-ISAC), rather than the Commission, but the reports should also be sent to the Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). Further, NERC must file an annual, public, and anonymized summary of the reports with the Commission.

The Commission directed NERC to submit these modifications to its reliability standards within six months of Order No. 848's effective date.

FERC hydropower and successive preliminary permits

U.S. federal regulators can give a preliminary permit to the developer of a proposed hydropower projects -- but won't give out a successive permit unless the developer demonstrates it acted diligently under its prior permit.

Developers of proposed hydropower projects in the U.S. can apply for a preliminary permit from the Federal Energy Regulatory Commission.  During its term -- up to three years, according to the Federal Power Act -- a preliminary permit for a hydropower project does not authorize construction, but gives the permittee first priority to apply for a license for the project.  This exclusivity allows the permittee to study the site, communicate with stakeholders, and develop the information necessary to support a license application.  It also gives the permittee something of a "reservation" for the site during its term.  In exchange, the permittee must submit periodic reports on the status of its outreach efforts and studies.

Sections 4(f) and 5 of the Federal Power Act authorize the Commission to issue preliminary permits to potential license applicants for a period of up to three years.  While the statute does not specify how many preliminary permits an applicant may receive for the same site, the Commission's policy is to grant a successive preliminary permit only if it concludes that the applicant has pursued the requirements of its prior preliminary permit in good faith and with due diligence.   The Commission has noted that each application for a successive preliminary permit is considered on a case-by-case basis, but has described "a minimum bar that a permittee must achieve to be diligent."

A recent FERC delegated staff order in Coralville Energy, LLC, Project No. 14431-001, illustrates this policy.  On November 2, 2015, Coralville Energy applied to the FERC for a preliminary permit for the Burlington Street Dam Hydroelectric Project, to be located at the existing Burlington Street Dam on the Iowa River, near Iowa City in Johnson County, Iowa. 

But this was not Coralville Energy's first application relating to the Burlington Street; it had received a preliminary permit three years earlier, on October 18, 2012.  According to the 2015 order, the record under that prior permit "shows that Coralville Energy did not pursue the requirements of its prior permit with due diligence for purposes of receiving a successive permit because it fails to demonstrate progress toward preparing a development application."

In particular, the 2015 order notes that semi-annual reporting under the 2012 preliminary permit noted a series of items: late reports filed subsequent to Commission staff’s letters warning Coralville Energy of probable cancellation for failure to file progress reports; reports that were too brief, vague, and "nearly identical"; no change to the study plan from that proposed in 2012, suggesting no progress made toward the preparation of a development application; and no information about conducting, reviewing, or coordinating environmental studies or the status of the permittee’s efforts to obtain permission to access and use land not owned by the permittee.

By contrast, the order describes Commission staff's view that the requisite diligence requires completion of certain steps towards preparing a development application, including "developing study plans, conducting studies in a timely fashion, consulting with  resource agencies, and developing the application in accordance with the Commission’s regulations."  Additionally, Commission staff have said that it "must be able to discern a pattern of progress toward the preparation of a development application from the content of a permittee’s filings."

On this basis, the 2015 order denied Coralville Energy’s application for a successive preliminary permit.  The order illustrates FERC hydropower staff's perspective on the level of diligence expected of the holder of a preliminary permit.  It also highlights the importance of substantive action in pursuit of a license or development application as well as timely and adequate semi-annual reporting by preliminary permittees.