On January 21, 2010, the Federal Energy Regulatory Commission (FERC) approved Technical Feasibility Exception (TFE) rules proposed by the North American Electric Reliability Corporation (NERC) applicable to certain Critical Infrastructure Protection (CIP) mandatory Reliability Standards. However, reiterating its prior conclusions from Order No. 706, FERC directed NERC to revise the rules to clarify that the TFE rules will apply to the compensating or alternative measures implemented by Responsible Entities under CIP-006-1 R1.1 and CIP-007-1 R3.
The TFE procedures, to be included as an attachment to the NERC Rules of Procedure, are intended to permit Responsible Entities to implement alternative methods for protecting critical cyber assets when strict compliance with the protective measures imposed by specific Reliability Standards is not technically feasible. Such measures would be subject to the approval of the appropriate Regional Entity upon review of both the mitigating or compensating measures proposed by the Responsible Entity to achieve equivalent protection and the Responsible Entity’s plan for achieving strict compliance in the future.
Under NERC’s proposed TFE rules, portions of two Reliability Standards, CIP-006-1 R1.1 and CIP- 007-1 R3, permitted alternative or compensating measures if strict compliance could not be achieved, but were not subject to the formal TFE request and approval procedures. FERC rejected this distinction and directed NERC to revise the TFE rules to make these requirements subject to the TFE procedures.
FERC also questioned NERC’s proposal to create Class-Type TFEs, a label intended to cover equipment, devices, or procedures for which NERC has predetermined a TFE to be appropriate. According to FERC, the purpose behind this proposal is unclear, and could undermine FERC’s goal that TFE requests be reviewed on a case-by-case basis. Presuming that the Class-Type TFE proposal is intended to expedite the review of TFE requests, FERC directed NERC to clarify the procedure for determining Class-Type TFEs and, in particular, the criteria it will apply in making such determinations.
FERC also expressed concern regarding NERC’s proposal that a TFE could be justified if the safety risks of strict compliance outweigh the reliability benefits, or if the costs of strict compliance “far exceed the benefits to reliability.” To address these concerns, FERC directed NERC to explain which entities will make these determinations and how the reliability benefits should be quantified.
Finally, FERC directed NERC to revise the proposed TFE rules regarding the effective date of a rejected TFE request. Under the proposed rules, the effective date had to be at least 60 days following notification of the rejection or disapproval of the request so as to give the Responsible Entity time to come into compliance. FERC expressed concern that because there was no outer limit on the length of time that a Regional Entity could set between notification and the effective date, this created a risk of extended noncompliance. To address this concern, FERC ordered NERC to set an outer limit for this provision, recommending that a maximum of 90 days would be appropriate absent a documented finding of exceptional circumstances.
The timing of the implementation of these changes remains unclear. While FERC approved the TFE procedures effective the day of its order, and the compliance filing to remedy the concerns discussed above is due in 90 days, there is no explanation of how this matches with the provision in the TFE rules that all requests for TFEs must be submitted by January 31, 2010, to avoid sanctions for noncompliance, or of when Responsible Entities with CIP-006-1 R1.1 or CIP-007-1 R3 TFE issues will need to file their requests.