NERC CEO Jim Robb said in a media briefing Thursday that the organization has no plans to request further delays in the effective dates of seven reliability standards that were deferred earlier this year in light of the COVID-19 pandemic.

FERC agreed in April to extend the implementation of the standards to give registered entities the flexibility “to respond to the immediate challenges” of the pandemic. (See FERC Agrees to Defer Standards Implementation.) Affected measures include the following cybersecurity supply chain standards, whose implementation dates were pushed back from July 1 to Oct. 1:

• CIP-005-6 (Electronic security perimeter(s))
• CIP-010-3 (Configuration change management and vulnerability assessments)
• CIP-013-1 (Supply chain risk management)

The implementation for the following standards, originally scheduled to take effect Oct. 1, was moved to April 1, 2021:

• PER-006-1 (Specific training for personnel)
• PRC-027-1 (Coordination of protection systems for performance during faults)

In addition, the effective date of certain provisions of PRC-002-2 (Disturbance monitoring and reporting requirements) and PRC-025-2 (generator relay loadability), originally scheduled to take effect July 1, was moved to Jan. 1, 2021.

In discussing the decision not to seek further deferrals, Robb drew a distinction between these measures and other COVID-19 responses that NERC has sought to extend in recent months as the pandemic wears on, with no end in sight. For example, the organization announced last week it would keep its offices in Atlanta and D.C. closed through the end of 2020. (See NERC Offices to Stay Closed Through December.) NERC’s deferment of on-site activities such as audits and certifications will also continue through December. (See NERC Extends Self-logging, Deferments Through Dec.)

While NERC and FERC have discussed giving registered entities more time to complete their compliance preparations in light of the evolving public health situation, the organizations ultimately decided that the standards — particularly those dealing with cybersecurity — were too critical to reliable operation of the grid to delay any further (echoing criticism voiced at the time of the original deferral).

“Given how important [the] supply chain is, it just doesn’t feel prudent to continue to push [those standards] off,” Robb said.

NERC Compiling Alert Responses

The briefing also included an update from Manny Cancel, senior vice president at NERC and CEO of the Electricity Information Sharing and Analysis Center, on the Level 2 alert issued by the ERO earlier this year requesting information on the bulk power system’s vulnerability to cyberattacks by foreign governments. (See NERC Issues Level 2 Supply Chain Alert.) The alert was drafted in response to President Trump’s declaration of a national emergency regarding foreign threats to the BPS. (See Trump Declares BPS Supply Chain Emergency.)

With the Aug. 21 deadline for responses to the alert past, NERC is now busy compiling the results for a report to be submitted to FERC, Cancel said. Data from the alert will be used to determine “how many devices [on the grid] have been manufactured in potentially rogue nation-states that might be looking to take advantage of our infrastructure here.” While the information itself will be confidential, NERC may share “themes” of the results with the public if necessary.

China and Russia have been identified as particularly concerning “foreign adversaries” with the capability to launch cyberattacks against the grid, with Iran, Cuba, North Korea and Venezuela also referred to as noteworthy threats.

Details of NERC’s Level 2 alert were confidential, but Mark Kuras, senior lead engineer in PJM’s Reliability Compliance Unit, told the RTO’s Operating Committee that the information requested focuses on transformer control and protection systems that are 10 years old or newer. The alert applied mostly to generation and transmission owners, and on “distribution providers to some extent,” he said.