[EDITOR’S NOTE: A previous version of this article incorrectly reported that the manual updates are being proposed NYISO. They are in fact being proposed by transmission owners.]

The NYISO Transmission Planning Advisory Subcommittee on July 9 criticized a transmission owner proposal to include Critical Energy/Electricity Infrastructure Information (CEII) protection requirements in the ISO’s manuals over what they described as confusing wording and inconsistent requirements. 

The TOs are concerned that with the “explosion” of generator interconnection requests, there is a gap in the CEII protection requirements. 

“There are FERC CEII protection rules, but they apply to information submitted to or generated by FERC; protections do not apply to information exchanged at the ISO level,” said William Derasmo, a partner at Troutman Pepper who presented the updates on behalf of the TOs. “The idea is to try to put something in place to fill that gap.” 

Derasmo explained that the updates would be followed by conforming tariff revisions. He cited a warning from the FBI that renewable energy generation could pose additional cybersecurity risks. (See FBI Warns Power Sector of IBR Cyber Vulnerabilities.) 

“This topic is not going away,” Derasmo said. “It’s a problem that is here, and we can’t wish it away.” 

The proposed revisions would require developers of generation or transmission facilities, their consultants or any nongovernmental organizations requesting CEII from NYISO to:  

• • provide NYISO and the transmission owner with a list of any countries outside the U.S. and Canada in which they operate; 
  • obtain cybersecurity risk insurance in coverage amounts of $5 million; 
  • establish a chain of custody, policies and process to securely handle and store CEII; 
  • not engage with entities owned by, controlled by or subject to the jurisdiction of “foreign adversaries”; 
  • engage in background screenings and security training for personnel accessing CEII; 
  • provide for secure deletion of CEII from systems; and 
  • report cybersecurity incidents to the NYISO and the TO within 48 hours. 

Stakeholders seemed confused that the draft updates used multiple overlapping definitions for “critical energy infrastructure,” “critical electricity infrastructure” and “critical infrastructure.” One stakeholder called it “overkill and unnecessary.” 

“We don’t need to parse it between ‘critical electric infrastructure’ and ‘critical infrastructure,’” they said. “You’re adding an unnecessary complication.” 

Others expressed confusion that the manual updates were being proposed without the accompanying tariff revisions. Typically tariff revisions are approved by FERC first before manual updates to define the scope of revision. 

“I guess I’m really struggling with how to do it this way,” the stakeholder said. “I think you’re maybe unnecessarily causing some confusion, if not complication, here. In any event, we’re not going to have any helpful guidance until you’re proposing the tariff first.” 

One stakeholder raised the issue of “special treatment” of the TOs. The current draft of the rules would require that recipients of CEII inform NYISO and TOs of security incidents and foreign business dealings, but they would not require the ISO or TO to inform recipients of cybersecurity breaches or similar multinational dealings. 

Another stakeholder raised the point that some people who have access to CEII do not represent or work for multinational corporations with large budgets. Requiring $5 million in cybersecurity risk insurance likely would deny people and firms of this kind access to CEII. They suggested having a MyNYISO account would be enough to trigger the insurance requirement.