Regulatory Affairs news highlights: October 2024

 

Recent regulatory headlines we’re tracking include:

FERC holds workshop to discuss generation interconnection

On Sept. 10 and 11, FERC held a workshop to discuss innovations and efficiencies in generator interconnection processes. FERC Chair Willie Phillips opened the workshop with comments on the importance of generator interconnection reform, noting that there is 2,000 GW of generation waiting in the queue with an average wait time of five years. Chair Phillips noted that the issuance of Order 2023 was “just the first stop,” and that there is much more to be done. Day one of the workshop focused on innovations, and panelists discussed the importance of an expanded and proactive transmission planning process, especially given the increasing energy demand resulting from data centers, electrification, and electric vehicles. There was also discussion of an “expedited reliability queue” for projects that are ready to proceed (“shovel-ready”), which could run alongside the existing queue.

Day two of the workshop discussed efficiencies, and a major theme from the discussions was the importance of transparency and additional data sharing from all parties, to more quickly and accurately advance projects that are ready in the queue. There was also discussion of automating certain aspects of system impact studies through software, which could speed up the study process. Throughout the workshop, RTOs (including SPP, MISO, New York ISO, California ISO, and PJM) shared their approaches to and latest developments in the generation interconnection process. A recorded webcast from day one of the workshop is available here, and the recording from day two is available here. FERC is also inviting the filing of public comments (by Oct. 15) on the topics and questions presented during the workshop in FERC Docket No. AD24-9-000.

 

FERC issues NOPR for new internal network security monitoring reliability standard

On Sept. 19, FERC issued a Notice of Proposed Rulemaking (NOPR) proposing to approve a new CIP standard submitted by NERC, CIP-015-1, which establishes requirements for internal network security monitoring (INSM) for network traffic inside an electronic security perimeter. These requirements would apply to all high-impact Bulk Electric System (BES) Cyber Systems and all medium-impact BES Cyber Systems with external routable connectivity. FERC explains in the NOPR that INSM provides visibility into communications between networked devices within a trust zone and can detect malicious activity that has circumvented perimeter control. The use of INSM increases the likelihood of earlier detection, mitigation, and recovery from a cyber attack.

The NOPR also proposes to direct NERC to develop modifications to CIP-015-1 within one year, to extend INSM to include electronic access control or monitoring systems (EACMS) and physical access control systems (PACS) outside of the electronic security perimeter. FERC states that this modification is needed because attacks could compromise the EACMS or PACS and then infiltrate the perimeter as a trusted communication. The NOPR provides for a 60-day public comment period from interested parties.

 

FERC issues NOPR on supply chain risk management standards

FERC also issued a NOPR this month that proposed to direct NERC to create new or modified Reliability Standards within one year to address gaps in the existing CIP Standards related to supply chain risk management (SCRM). FERC states that while the existing SCRM standards provide a baseline for supply chain threats, these threats are increasing and there are gaps related to 1) the sufficiency of responsible entities’ SCRM plans related to the identification of, assessment of, and response to supply chain risks and 2) applicability of SCRM standards to protected cyber assets (PCA). Specifically, the NOPR proposes to direct NERC to:

• Establish a maximum time frame between when an entity performs its initial risk assessment during the procurement process and when it installs the equipment.
• Establish periodic requirements for an entity to reassess the risk associated with vendors, products, and services procured under contracts for any supply chain risks that may have developed since the contract began.
• Require an entity to establish steps in its SCRM plan to validate the completeness/accuracy of information received from vendors during the procurement process (to better inform the identification and assessment of supply chain risks).
• Require that entities establish a process to document, track, and respond to all identified supply chain risks.

Regarding the applicability of the SCRM standards to PCAs (ancillary equipment that resides behind a responsible entity’s electronic access point within BES Cyber Systems), the NOPR proposes to direct NERC to modify the SCRM standards to include PCAs as applicable assets. The NOPR also proposes to direct NERC to protect PCAs from supply chain risk at the same level as other assets inside an electronic security perimeter. The NOPR provides for a 60-day public comment period from interested parties.