NERC’s first critical-infrastructure standard is now enforceable. But cyber rules await approval.
Christian Hamaker is managing editor of Public Utilities Fortnightly.
In the midst of a long, hot summer, North American utilities have to worry about more than the typical seasonal strain on the grid. They need to be thinking about sabotage and cyber security.
Never far from administrators’ minds, sabotage has taken on even more importance with the approval of the first Critical Infrastructure Protection (CIP) standard by the North American Electric Reliability Corp. (NERC). At press time, a final rule on several cyber-security standards was expected soon.
NERC submitted numerous reliability standards for approval to the Federal Energy Regulatory Commission (FERC), which last year certified NERC as the nation’s Electric Reliability Organization (ERO). As of June 18, 2007, 83 of the standards—including the first CIP standard (see sidebar, “Standard CIP-001—Sabotage Reporting”)—have been approved.
But what about the other CIP standards—CIP-002 through 009—which deal mainly with cyber security? Those standards, approved by NERC, are mandatory, but until FERC approves them, not enforceable. “I think that there is a misperception out there that the ERO is the nation’s reliability regulator and that the commission isn’t very involved in the process,” says Joe McClelland, director of the division of reliability at FERC. “That’s not really the legislative model. We do have independent authority to do these things … and we will be actively involved.”