NERC is seeking comments through July 10 on proposed changes to its Rules of Procedures (ROP) that were ordered by FERC earlier this year in response to the ERO’s five-year performance assessment (RR19-7).
The planned updates apply to Section 1003, covering NERC’s infrastructure security program — particularly the Electricity Information Sharing and Analysis Center (E-ISAC) — and its sanction guidelines in Appendix 4B of the ROP.
Clarity Sought on E-ISAC’s Role
In its January order, FERC said that despite its growing share of NERC’s budget — accounting for 28% of NERC’s total 2020 budget and 26% of the projected budget for 2021 — the E-ISAC program lacks transparency. The commission requested that NERC clarify the E-ISAC’s relationship with the Electricity Subsector Coordinating Council (ESCC), correct inconsistencies in terminology used in the ROP and update other operational practices related to NERC’s infrastructure security program. (See NERC Wins Another 5 Years as ERO.)
To address FERC’s order, NERC made a number of additions to Section 1003, along with revisions to existing language. Significant insertions include a paragraph describing the role of the E-ISAC and its place alongside the Department of Energy and ESCC in the U.S. national security framework, expanding on a less detailed description in the current version of the ROP. The organization also added language emphasizing that it considers security an equal priority to reliability and resilience.
In addition, language stating that NERC “[fills] the role of the [ESCC]” was deleted. The new wording says that the organization “shall coordinate with” the council.
References to the critical spare transformer program, the National Infrastructure Protection Plan, vulnerability assessments of certain systems and working with the National SCADA Test Bed and Process Control Systems Forum were also deleted, as NERC is not involved in these activities anymore.
Sanction Changes Emphasize Fairness
The changes to the sanction guidelines in Appendix 4B clarify NERC’s and regional entities’ application of base penalties, in addition to emphasizing NERC’s focus on violation risk factor and severity level when determining penalty amounts. NERC also expanded on the role non-monetary sanctions may play in determining the final penalty amount.
Additional changes ordered by FERC include language requiring NERC and regional entities to ensure that “violators do not consider the imposition of monetary and/or non-monetary sanctions to be an economic choice or cost of doing business” by considering the size of the offender and its ability to pay when setting a penalty. The new language also stressed that penalties on multiple subsidiaries of a parent corporation that commit the same violation must be proportionate to the seriousness of the violation and the size of the offender.
Presentation Planned for August Board Meeting
FERC’s order in January mandated NERC make a compliance filing with the necessary revisions by July 21, but NERC requested an extension on the deadline in February that it said would allow for the full 45-day stakeholder comment period, as well as providing time for the Board of Trustees to review the changes before its meeting Aug. 20. (See NERC Seeks More Time on Rule Changes.)
FERC approved this request March 1, granting NERC until Aug. 28 for the compliance filing. The commission later extended the deadline again to Sept. 28 in light of the COVID-19 pandemic. (See FERC Extends NERC Compliance Filing Deadline Again.)
A separate compliance filing ordered by FERC — which requires NERC to detail audits of regional entities in the past five years or provide a plan for performing them within the next 18 months — was delayed to June 1.