New guidelines issued

 

ON MARCH 18, 2010, THE FEDERAL ENERGY REGULATORY Commission (FERC) approved, with modifications, certain Violation Severity Level (VSL) assignments for Critical Infrastructure Protection (CIP) Reliability Standards as proposed by the North American Electric Reliability Corporation (NERC).

Implications for registered entities
The VSL assignments approved in the order were effective immediately, and NERC will begin using them as a factor in determining future penalties for violations of the cyber security CIP Reliability Standards. Because FERC's new guidelines require NERC to take an all-or-nothing approach where a weakest-link vulnerability is present, registered entities have an increased incentive to ensure strict compliance with the CIP Reliability Standards. Similarly, registered entities should ensure their compliance procedures that address requirements identifying both implementation and documentation include specific provisions covering those interdependent tasks.

Although the order addresses VSL assignments for Version 1 of the CIP Reliability Standards, the two additional guidelines are not limited to the initial version. VSL assign- ments for subsequent versions of the standards must also comply with these new guidelines. Thus, registered entities should take the new guidelines into consideration when designing, revising or implementing a compliance program that addresses the CIP Reliability Standards.

Moreover, the order confirms the need for registered entities to have a robust compliance program that covers reliability compliance and includes written procedures that specifically address the requirements in the reliability standards.

VSL revisited
The VSL is a measure of the degree (lower, moderate, high or severe) to which a reliability standard requirement has been violated. NERC considers the VSL together with a ''Violation Risk Factor,'' which represents the potential risk to reliability, to establish a base penalty range for a violation of the reliability standards.

The Commission previously approved VSLs for requirements and sub-requirements of 83 non-CIP Reliability Standards. In the Non-CIP VSL Order, the Commission provided four guidelines that it will apply when reviewing proposed VSL assignments:

• VSL assignments should not have the unintended consequence of lowering the current level of compliance.
• VSL assignments should ensure uniformity and consistency in the determination of penalties.
• A VSL assignment should be consistent with the corresponding requirement.
• A VSL assignment should be based on a single violation, not on a cumulative number of violations.

 

In a subsequent order, Order No. 706, the Commission approved eight CIP Reliability Standards proposed by NERC and directed NERC to file VSLs corresponding to the CIP Reliability Standard requirements and sub- requirements before July 1, 2009. On June 30, 2009, NERC proposed 118 sets of VSLs corresponding to the CIP Reliability Standards.

FERC's review
In the CIP-VSL Order, the Commission approved the proposed VSLs for the CIP Reliability Standards, issued additional guidance for determining appropriate VSLs in the context of cyber security requirements and ordered NERC to revise 57 sets of VSLs within 60 days. The approved VSLs were effective immediately and will be used by NERC to determine penalties for violating the CIP Reliability Standards. In addition, the Commission provided two additional guidelines specific to cyber security VSL assignments.

FERC said: ''Requirements where a single lapse in protection can compromise computer network security, i.e., the 'weakest link' characteristic, should apply binary VSLs.''

In adopting this all-or-nothing, or binary, approach, the Commission explained that the control systems supporting bulk-power system reliability are ''only as secure as their weakest links'' and that a single lapse of computer protection can have systemic critical infrastructure consequences. Thus, while FERC generally prefers a gradated approach for VSLs, it concluded that a binary approach was appropriate for cyber security standards involving ''weakest link'' vulnerabilities.

FERC also said: ''VSLs for cyber security requirements containing interdependent tasks of documentation and implementation should account for their interdependence.''

FERC explained that often in the cyber environment, implementation of security measures depends on complex plans, policies and procedures that must be repeatable and verifiable. These interdependent tasks require documentation of both the procedures to be followed and verification that the procedures were followed as directed. If the responsible entity documented the control processes and mechanisms but did not implement them, or conversely if the entity attempted to implement controls but did not document the control processes and mechanisms, the desired security would be inadequate. Therefore, for certain reliability standards the interdependency between documentation and implementation should be recognized in the corresponding VSLs.

In addition to the new guidelines, FERC believed that some of the proposed VSLs needed revision as they were too permissive and could have the unintended consequence of lowering the current level of compliance. Finally, FERC had consistency and clarity concerns with specific VSLs and ordered revisions to remove ambiguities.

Rehearing requested
On April 19, the American Public Power Association, the Edison Electric Institute and the National Rural Electric Cooperative Association filed a joint request for rehearing of the CIP-VSL Order. In their rehearing request, the trade associations requested that the Commission reinstate the gradation approach instead of the binary approach for certain VSL assignments and recognize that the successful implementation of electronic-access controls for purposes of CIP VSL Guidance does not depend necessarily upon the documentation of such controls.

On May 17, NERC submitted its compliance filing as required by the CIP-VSL Order. At press time, the FERC had not acted on the rehearing request or the compliance filing. Pending action on the rehearing request, registered entities should address all six of the VSL guidelines in their procedures governing compliance with the CIP Reliability Standards.

This article was written by Pamela J. Anderson, a partner in the Environment, Energy & Resources practice of Perkins Coie LLP practicing in Bellevue, Wash; and, Edward C. Lin, an associate in the practice.