On July 21, 2016, the Federal Energy Regulatory Commission (“FERC”) took several actions that impact a significant segment of the electric utility industry. FERC issued: (1) a Notice of Proposed Rulemaking (“NOPR”) to revise the reporting requirements of certain market participants to enhance its market analytics and surveillance; (2) a final rule that will require the development of a new reliability standard for hardware, software, and computing and network services associated with the bulk electric system; and (3) a Memorandum of Understanding (“MOU”) with the U.S. Army Corps of Engineers (“Army Corps”) to facilitate development of hydropower at Army Corps’ facilities. The discussion below provides an overview of these initiatives.
NOPR Regarding Collection of Data for Market Surveillance and Analytics
FERC issued a NOPR addressing Data Collection for Analytics and Surveillance and Market-Based Rate Purposes (“Data Collection NOPR”). In concurrent orders, FERC withdrew prior NOPRs addressing “Connected Entities” and ownership information in Market-Based Rate (“MBR”) Filings. The Data Collection NOPR requires MBR sellers and entities that trade virtual products or hold financial transmission rights (“Virtual/FTR Participants”) to report certain information about their legal and financial connections to other entities. FERC intends to consolidate its collection of certain information into a relational database, which would be populated by the information submitted by MBR sellers and Virtual/FTR Participants. FERC would require the information to be submitted in an extensible markup language (“XML”) format, and has developed a “data dictionary” that defines associated terms and values. FERC will hold a technical workshop on August 11, 2016 to review the draft data dictionary.
With regard to specific reporting requirements, MBR sellers and Virtual/FTR Participants would be required to submit information regarding their Connected Entities. Connected Entities would include “affiliates,” as currently defined for purposes of the MBR requirements in FERC’s regulations, that are either: (i) an “ultimate affiliate owner” of the entity; (ii) an entity that participates in FERC-jurisdictional organized wholesale electric markets; or (iii) an entity that purchases or sells financial natural gas or electric energy derivative products that settle off the price of physical electric or natural gas energy products. The definition of Connected Entity also would include traders employed by an MBR seller or Virtual/FTR Participant. In addition, each MBR seller and Virtual/FTR Participant would be required to report any entity with which it has an agreement that “confers control over an electric generation asset that is used in, or offered into, wholesale electric markets.”
MBR sellers and Virtual/FTR Participants would be required to submit “changes in connection” within 30 days of the change. A change in connection would occur if an entity: (i) becomes a Connected Entity of a MBR seller or Virtual/FTR Participant; or (ii) ceases to be a Connected Entity of a MBR seller or Virtual/FTR Participant. For connections created by an agreement, FERC proposes to include a de minimis threshold of 100 MW for reporting a change in connection (e.g., entering into, terminating, or amending an agreement that results in the parties conferring control of 100 MW or more of generation).
FERC also proposes substantial changes to the information that would be submitted by MBR sellers. When submitting a market power analysis, MBR sellers would only provide information on affiliates that: (1) are an “ultimate affiliate owner,” defined as the furthest upstream affiliate owner(s) in the ownership chain; or (2) have a franchised service area or MBR authority, or directly own or control generation; transmission; intrastate natural gas transportation, storage or distribution facilities; physical coal supply sources or ownership of or control over who may access transportation of coal supplies. In addition, where a MBR seller is directly or indirectly owned or controlled by a foreign government, the MBR seller must identify the foreign entity as part of its ownership narrative. Finally, with respect to any owners that a MBR seller represents to be passive, the MBR seller must affirm in its ownership narrative that its passive owner(s) own a separate class of securities, have limited consent rights, do not exercise day-to-day control over the company, and cannot remove the manager without cause. MBR sellers would no longer be required to submit corporate organizational charts.
The Data Collection NOPR also includes requirements associated with initial baseline informational filings that would be required after a Final Rule is published, as well as requirements to timely update changes to the information submitted to FERC. The full text of the Data Collection NOPR can be found here.
Final Rule to Mandate Reliability Standard for Supply Chain Risk Management
FERC issued Order No. 829, a final rule that requires the North American Electric Reliability Corporation (“NERC”) to develop a Reliability Standard addressing security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system (“BES”) operations. The final rule identifies four minimum security objectives that the plans required by the Reliability Standard should address: (1) software integrity and authenticity; (2) vendor remote access; (3) information system planning; and (4) vendor risk management and procurement controls. Commissioner LaFleur dissented from the order, asserting that that the final rule should have had more notice and opportunity for stakeholder comment.
Under the software integrity and authenticity objective, the Reliability Standard must address verification of software publishers and the integrity of software and software patches prior to installation. For the vendor remote access objective, the Reliability Standard must address logging and control of vendor-initiated remote access sessions. Under the information system planning objective, the Reliability Standard must address how a responsible entity includes security considerations in the course of information-system planning and system development, while also addressing how a company identifies and documents risks from planning and development actions. Finally, with regard to the vendor risk management and procurement controls objective, the Reliability Standard must address provision and verification of security concepts in contracts, including vendor event notification processes, vendor personnel termination notification for employees with access to systems, vulnerability disclosures, incident response activities, and “other related aspects of procurement.”
Throughout the order, FERC cites to the supply-chain risk management policies developed by the National Institute of Standards and Technology, suggesting that they may provide useful—and essentially preapproved—aspects of NERC’s forthcoming Reliability Standard. The supply-chain Reliability Standard development process now moves to NERC, where stakeholders will have an opportunity to inform the development of the standard. NERC’s proposed standard must be submitted to FERC within one year after Order No. 829 is published in the Federal Register.
In a related action, FERC issued a Notice of Inquiry (“NOI”) seeking input on both the need for and the possible effects of modifications to the Critical Infrastructure Protection Reliability Standards to address the cybersecurity of BES Control Centers. FERC specifically points to a December 2015 cyberattack in Ukraine—which left 225,000 customers without power, while also rendering parts of the electric system inoperable after the attack—as an example of the vulnerability of interconnected electric networks. FERC specifically seeks input on possible modifications to address “(1) separation between the Internet and BES Cyber Systems in Control Centers performing transmission operator functions; and (2) the use of ‘application whitelisting’1 for BES Cyber Systems in Control Centers.”
The Commission also seeks input regarding potential unintended impacts from the proposed measures. Regarding isolation from the Internet, the Commission seeks comment regarding (1) how isolation from the Internet may affect activities required by other Reliability Standards, (2) whether logical isolation or physical isolation is a preferable cybersecurity approach, (3) whether such a requirement would affect communications between transmission operators and reliability coordinators or other applicable entities, and (4) whether one-way diodes might be reliable and appropriate for certain communications with Control Centers. Regarding application whitelisting, the Commission asks whether Reliability Standards should be modified to require application whitelisting for all BES Cyber Systems in Control Centers, and if not appropriate for all systems, whether it is appropriate for certain devices or components of such systems.
Comments in response to the Notice of Inquiry may be filed up to 60 days after the Notice is published in the Federal Register. A copy of Order No. 829 can be found here, and a copy of the NOI can be found here.
FERC, Army Corps Execute MOU to Facilitate Hydropower Development
FERC and the Army Corps have executed a MOU to coordinate the agencies’ processes for authorizing construction and operation of non-Federal hydropower projects. The MOU—which updates an earlier FERC-Army Corps MOU executed in 2011—establishes a framework for early coordination between FERC and the Army Corps to ensure timely review of and action on non-Federal hydropower development applications.
The MOU establishes a two-phased, synchronized review that will evaluate the impacts of a proposed project through one coordinated environmental review addressing FERC licensing under the Federal Power Act and the Army Corps permitting under Clean Water Act Sections 404 and 408. The first phase, triggered when an applicant commences the FERC licensing process, will be environmental review under the National Environmental Policy Act (“NEPA”). FERC will act as the lead agency for the NEPA review process, with significant Army Corps involvement. Phase 1 concludes with the issuance of a license by FERC and status letters from the Army Corps. Phase 2 is devoted to the Army Corps 408 decision and the Army Corps 404 regulatory permit decision. The full text of the updated FERC-Army Corps MOU can be found here.