CYBERSECURITY DEVELOPMENTS

VulnerabilitiesIdentified in Implementations of the DNP3 Protocol October 16 – Wired reporter Kim Zetter broke a story that in April 2013 researchersChris Sistrunk and Adam Crain discovered vulnerabilities in SCADA and industrialcontrol systems (ICS) using the DNP3 protocol. The vulnerability, which occurs in the implementations of DNP3 by manyvendors, would allow a data packet sent from a remote location to crash themaster controller without physical access to the master controller.  The DNP3 protocol is used in a wide range ofICS equipment, and communications over devices using serial protocols are notcovered by the current NERC CIP version 3 reliability standards, which applyonly to a subset of electric utilities.

Inresponse to the news report, on October 18 ICS-CERT issued an alert regarding the vulnerability for both internetprotocol (IP) and serially-connected devices. The researchers, who reported their findings to ICS-CERT in April, intendto reveal more technical details at Digital Bond's S4X14conference in January 2014. 

NIST Releases Preliminary Cybersecurity Framework October 23 – TheNational Institute of Standards and Technology released its PreliminaryCybersecurity Framework.  The frameworkis voluntary, and outlines a series of steps aimed at helping both large andsmall organizations develop a risk-based approach to improving cybersecurity. Comments are due to NIST by December 24, andthe final framework will be released in February 2014.  NIST will also hold a workshop to discuss theframework on November 14-15.

PricewaterhouseCoopers Releases 2014 Cybersecurity Survey –PricewaterhouseCoopersreleased its Global State ofInformation Security® Survey 2014.  Thesurvey reports among its findings that 57% of the global utilities surveyed considerthemselves “front-runners” ahead of the pack in strategy and securitypractices, and that current and former employees are the most likely source ofsecurity incidents.

NERC AND FERC

FERC Issues Final Rule on Transmission PlanningReliability Standards October 17 – FERCissuedOrder No. 786, a final rule for Transmission Planning (TPL) Reliability StandardTPL-001-4.  The new standard will requireannual assessments of short- and long-term planning for steady state, shortcircuit, and stability conditions, and contains a provision allowingtransmission planners to develop plans for non-consequential load loss as amitigation method following a single contingency.  The new rule was delayed by an extendedremand process, after FERC found the earlier proposed version unclear regardingthe use of non-consequential load loss. Commissioner LaFleur issued a separate statement praising the collaborative process by which the standard was developed.

The rule will becomeeffective December 23, 2013, and compliance with the standard’s requirementswill become mandatory on January 1, 2016. On that date, current standards TPL-001-0.1, TPL 002-0b, TPL-003-0a, andTPL-004-0 will be retired.  NERC willmonitor the use of non-consequential load loss, and will report to FERC afterthe first two years of implementation. 

FERC Denies Rehearing Request in City ofHolland Registry Decision October 17 – FERC denied the request forrehearing of the City of Holland, Michigan resulting from the Commission’s upholdingRFC and NERC’s decision to register the City as a transmissionowner/operator.  The case involvedwhether the City’s facilities were used in local distribution (and thusexcluded from FERC’s authority over the reliability of the Bulk-Power System)or should otherwise be excluded from the definition of the Bulk Electric System(BES) due to their radial character.  Inaffirming its earlier decision, FERC held that the City may return to NERC torequest an exemption under the revised BES definition exemption process (see our January 2, 2013 Alert on the new BES definition) and that it may also separately request adetermination from FERC that the facilities in question are used in localdistribution under FERC’s seven-factor test. Commissioner LaFleur concurred in the decision and emphasized that theCity may seek a BES exclusion or a determination from FERC that the facilitiesare used in local distribution.

FERC Issues Assessment of Demand Response & AdvancedMetering October18 – In accordance with the requirements of the Energy Policy Act of 2005, FERC issued its annual report assessingelectricity demand response resources. In the report, FERC indicates that penetration of advanced meters is onthe rise and that demand response resources made “significant contributions tobalancing supply and demand” during several system emergencies that occurred inseveral RTOs and ISOs during the summer of 2013.  Additionally, the report highlights thepotential of demand response resources to serve as quantifiable, reliableresources in regional planning under FERC’s Order No. 1000.

NERC FilesInformational Filing Regarding CIP Version 5 Implementation Study October 11 – NERC madean informational filing with FERC thatdescribes a transition plan and CIP Implementation Study for moving from CIP version3 to version 5.  In its filing, NERCdescribes the implementation study as a pilot project from October 2013 throughApril 2014 that will involve a moving a select group of entities from version 3to version 5 ahead of the rest of industry. The study participants will have individual transition plans and willnot be subject to NERC compliance or enforcement activities during thetransition period. NERC will share lessons-learned and offer industry-widefeedback, and revise the reliability standard audit worksheets (RSAWS) as partof the transition plan.

FERCApproves WECC BAL Standards October 16 – FERC issued a letter order approving proposedregional reliability standard BAL-004-WECC-2 (Automatic Time Error Correction)and proposed reliability standard BAL-001-1 (Real Power Balancing ControlPerformance).  NERC and WECC jointly petitionedfor approval of the standards pursuant to Order No. 723.

FERC Accepts Operations Reliability Coordination Agreement forMISO South Region October10 – FERC has accepted for filing the MISO’s proposedOperations Reliability Coordination Agreement. The agreement between MISO and several neighboring utilities andtransmission providers is intended to address potential reliability issuesassociated with the integration of the “MISO South Region” into the MISOBalancing Authority Area (BAA).  The MISOSouth Region, which is comprised of BAAs operated by Entergy, the LouisianaEnergy and Power Authority, and a number of other utilities in the South, is inthe process of being integrated into the MISO system. 

NERC Posts Training Materials on Management of Southwest ColdWeather Events October 2 – NERCposted new training documents and presentations to assist utilities in managingthe impacts of cold-weather events in the Southwest.  The documents are a product of a FERC-NERCjoint task force that was formed following the February 2011 Southwest ColdWeather Event, which knocked out power to over 4 million customers andinterrupted natural gas supplies for 50,000 people.  The new training materials are available atthe bottom of the task force webpage.

NERC Filings – Recent NERC filings at FERC include: (1) Reply Comments in Response toNotice of Proposed Rulemaking to Approve BAL-003-1​​; and (2) a Doc-Less Motion to Intervene in Docket No.AD13-8-000​, in  which FERC requestedcomments on the market implications of the frequency response and frequencybias setting requirements in BAL-003-1.

REGIONAL ENTITY NEWS

WECCAppoints CEO Designate October 17 – WECC announced it has appointedJames (Jim) B. Robb as CEO Designate, who will take over upon the retirement ofthe current WECC CEO, Mark Maher.  Mr.Robb’s appointment becomes effective on November 4, 2013 and Mr. Maher willassist in the transition until retiring at the end of 2013.  Mr. Robb’s most-recent position was SeniorV.P., Strategic Planning and Environmental Affairs with Northeast Utilities.

OTHER

Suspect Arrested in Arkansas TransmissionAttacks October 12 – TheU.S. Attorney’s Office for the Eastern District of Arkansas announced that a suspect had been arrested in conjunction with three recent attacks whichrespectively damaged a transmission tower, a switching station, and powerpoles.  The alleged perpetrator faces apossible sentence of up to 20 years imprisonment and a $250,000 fine. 

The Van Ness Feldman Electric Reliability Update is published by Andrew Art, Malcolm McLellan and Gabe Tabak, with assistance from Christopher Zentz, Thomas Hutton, Ilan Gutherz, and Van Smith.  Van Ness Feldman counsels, advises and trains a wide range of clients on reliability matters.  Please email us for additional information.