December 5, 2024

MRC Defines UTCs; Adds Bid Limit and FTR Forfeiture Rule

Up-to congestion transactions were in the spotlight Thursday as the Markets and Reliability Committee:

  • Approved a definition of UTCs and a limit on trading of them;
  • Approved rules for deciding when UTC traders will forfeit Financial Transmission Rights; and
  • Heard first reading of proposed UTC credit requirements.

The trading limits and FTR forfeiture rules each passed with only one no vote. But the near unanimity dissolved when Andy Ott, PJM senior vice president for markets, reiterated his call for imposing fees on UTCs. Echoing a recommendation by Market Monitor Joseph Bowring, Ott said fixed fees on UTCs would help reduce uplift from Operating Reserve charges (see “PJM Proposes Operating Reserve Changes to Cut Uplift”).

Ott said PJM staff will perform an analysis on how UTCs both benefit market liquidity and increase system congestion. The analysis, which Ott said was necessary to “demystify” UTCs, also will compare them with other virtual trades — increment offers and decrement bids. “We need to have actual analysis, not suppositions, not opinions,” he said.

Carol Smoots, counsel to the Financial Marketers Coalition, said she was “disappointed that some sort of back room deal has been agreed to” regarding fees on UTCs.

Smoots said virtual trades already pay fees, including 40% of line loss charges. “To say the financial sector is not contributing to the cost of physical supply is not accurate,” she said.

Smoots said financial marketers have become a “convenient dumping ground” for fees because they are a small sector with limited voting power within PJM. “Being singled out because some folks don’t choose to use this product is very troubling,” she said.

Almost 95% of UTC trading volume came from financial traders in 2012 versus less than 5% by physical traders, according to the State of the Markets report.

J.P. Morgan vice president Robert O’Connell said fees could undercut UTCs’ role in creating liquidity and price convergence between the day-ahead and real-time markets. If the market-wide benefits of UTCs and other virtual trades outweigh their costs, O’Connell said, they shouldn’t pay any fees. Setting a fee “sends the message that `we don’t want you to converge any closer than $1 or $2,’ whatever the fee is.”

Jeffrey Mayes, general counsel for the monitor, said the definition of UTCs and any consideration of fees should be the subject of a transparent process beginning with a problem statement. “This proceeding isn’t going to do that,” he said.

Trading Limits

Reason for Change:

PJM proposed the cap because high bid volumes can make it difficult for the RTO’s day-ahead markets software to reach solutions.

Impact:

PJM can limit market participants to no more than 3,000 UTC transactions each in the day-ahead market when necessary for market operations. (A similar cap also applies to increment offers and decrement bids.)

The definition of market participant includes all sub-accounts established under the member. Affiliates will be treated as separate participants and have their bids counted individually.

The cap includes changes to the tariff, Operating Agreement and Manual 11.

FTR Forfeiture Rule

Reason for Change:

The rule is intended to prevent market manipulation — in this case, the submission of UTCs that boost the value of a participant’s FTRs.

Impact:

The rule is applied when those UTCs result in a higher LMP spread in the day-ahead market than in the real-time market.

Credit Requirements

Reason for Change:

UTC trading volumes have grown dramatically since 2010 (see chart) but have no credit requirements to protect market participants against defaults.

UTC Trading Volume 2006 - 2012 (Source: State of the Markets 2012)
UTC Trading Volume 2006 – 2012 (Source: State of the Markets 2012)

Impact:

The Credit Subcommittee conducted polling on five alternative credit requirements for UTCs.  PJM’s recommendation (Alternative F) won support from 91% of the 159 members responding to the survey, besting Alternative C with 48%.

The alternatives vary by how much collateral would be required and how much credit exposure the collateral would cover.

PJM’s proposal sets a bid screen based on the 70th percentile of the difference between the bid price and two-month rolling historical real-time costs for prevailing flow bids. It uses the 80th percentile for counterflows.

The cleared portfolio requirement is based on the 70th percentile of the difference between the cleared price and two-month rolling historical real-time costs for prevailing flows and 95th percentile for counterflows.

PJM analyzed the impact of the five proposals against trading results for April 2011, July 2012, and January 2013 to evaluate shoulder, summer and winter periods. It also looked at how they fared against the largest losses in the 10-month period between January 1 and Oct. 31, 2012. (See chart.)

“There is not likely one perfect set of credit requirements that would cover every period,” PJM Chief Financial Officer Suzanne Daugherty said. Daugherty said the goal was to find a balance that minimizes exposure without setting collateral requirements “so high that it shuts down the market.”

One alternative (Alternative E) showed the lowest remaining exposure and highest credit requirements in all scenarios while another (Alternative B) had the lowest credit requirements and left the highest remaining exposure. (See chart.)

UTC-credit-requirement-performance-vs.-4-scenariosUTC traders would need at least $200,000 in collateral, the same as for increment and decrement transactions.

Traders in Financial Transmission Rights are required to post $500,000. Daugherty said the lower requirement was justified because UTCs’ exposure is limited to a single day while FTR exposures range from one to 36 months.

Daugherty said that because all market participants benefit from the liquidity UTCs add, PJM doesn’t support limiting defaults to only those trading UTCs.

Next Steps:

The Credit Subcommittee has scheduled a conference call for 1 pm today to discuss the results of the committee’s polling on the five alternatives.

The Market Implementation Committee (MIC) is scheduled to consider the issue May 8 and submit MRC a single option to consider on May 30.

PJM Proposes Operating Reserve Changes to Cut Uplift

PJM called Thursday for a broad review of its method of providing Operating Reserve payments, saying changes were needed to reduce growing uplift costs.

Operating Reserves are “make whole” payments that ensure generators dispatched out of merit for system reliability don’t operate at a loss. Because they are collected through uplift charges and not reflected in day-ahead or real-time locational marginal prices, they cannot be hedged.

Total Operating Reserve Charges: 1999 - 2012In 2012, operating reserve payments totaled a near record $649 million, 2.2% of total billing. Day-ahead operating reserve charges increased by about 90% in 2012, spiking in September after PJM increased the number of “must run” units dispatched in the day-ahead market.

PJM told the Markets and Reliability Committee it should consider an overhaul that incorporates more of the charges into LMPs.

MRC will be asked to vote on a proposed problem statement at its May 30 meeting. The effort, which would create a senior task force reporting to MRC, is expected to take at least a year.

PJM Senior Vice President of Markets Andy Ott said the focus should be a broad “re-look at the whole concept of uplift charges.”

Uplift charges often result from units that may be economic for two hours but must run for longer periods because of minimum run and ramping constraints. “It’s not an unusual circumstance. It happens every day, every hour,” Ott said.

Noha Sidhom, general counsel for Vel Energy, LLC, said her traders have reduced trading of increments and decrements because of price uncertainty. Incs and decs paid an average of about $2.50/MWh in operating reserve charges in 2012, with charges ranging from 20 cents to almost $18/MWh.

Ott said imposing fixed fees on virtual transactions to reflect their administrative costs and  contribution to operating reserve charges would result in “a much more robust market.”

The Market Monitor’s State of the Markets report included a dozen recommendations on operating reserves. Among them were a review of the allocation of operating reserve charges to ensure that such charges are paid by all responsible for incurring them, including those making up-to congestion (UTC) transactions. (See “MRC Defines UTCs”)

The monitor estimated the number of UTC transactions would have been cut by two-thirds if they were subject to operating reserve charges.

PJM contact: Lynn Horning

 

PJM Working on New Deal with Monitor

WILMINGTON  (April 25, 2013) – PJM announced today it is negotiating a new contract with its independent market monitor, Monitoring Analytics LLC, dropping plans to put the contract out for bid.

PJM General Counsel Vince Duane told the Markets and Reliability Committee that the RTO and Monitoring Analytics have agreed to extend the company’s current contract — due to expire in mid-2014 — through the end of next year.

Duane said PJM would issue a request for proposals (RFP) for monitoring services only if it cannot reach agreement with Monitoring Analytics on a new three-year contract beginning in 2015.  Such an impasse “doesn’t seem terribly likely,” Duane said.

Duane said the PJM board made the decision to renew the Monitoring Analytics contract in the interests of “continuity” after receiving feedback from stakeholders.

In March, state regulators, industrial consumers and cooperatives sent the PJM board letters protesting its draft RFP, saying it contained terms that would undermine the independence and quality of the monitoring function.

Duane said yesterday that the new contract would include “reasonable measures” for the board to exercise oversight ensuring the monitor’s “accountability.” Duane promised to update members on the status of negotiations within two months, adding,  “What we’d ask for at this time is some breathing room.”

Jeff Mayes, general counsel of Monitoring Analytics, said the company was confident that the two parties would reach agreement.

“We recognize the board’s important role in promoting an independent and capable monitoring function,” Mayes said in a statement. “We appreciate the board’s interest in fulfilling its responsibilities related to market monitoring under the tariff and FERC (Federal Energy Regulatory Commission) rules.”

A new contract with the monitoring firm would allow the board to avert another showdown with stakeholders over the monitor’s role.

Monitoring Analytics is headed by Joseph Bowring, a Ph.D. economist who has served as PJM’s market monitor since 1999. In April 2007, Bowring sparked a firestorm at a FERC technical conference when he accused then-PJM President Phil Harris and his allies of attempting to muzzle him by squelching his reports and cutting his budget.

Under the terms of a settlement approved by FERC, Bowring formed Monitoring Analytics to create an independent monitoring function (EL07-56-000) and was awarded a six-year contract.

Electric Industry Leads U.S. in Cybersecurity Protections

The North American Electric Reliability Corp. (NERC) issued $9.2 million in fines for violations of its cybersecurity rules between 2008 and October 2012, half of all fines issued over that period.

Violations of NERC’s Critical Infrastructure Protection (CIP) rules were involved in six of the top 10 penalties, including a $725,000 fine in October.

At a time when Congress has been unable to agree on cybersecurity legislation to protect the rest of the U.S. economy, there’s no doubt that NERC and the Federal Energy Regulatory Commission take the cyber threat seriously.NERC-reliability-violations-bar-graphs1

The industry has come a long way in the three years since I was sitting in on NERC audits as a member of the FERC enforcement staff. The new CIP rules approved by FERC last week will cover more assets and add more controls. They’ll no doubt be good for the business of IT consultants. Regulated utilities that are allowed to put the costs in rate base will be more than happy to spend the money.

But will it be enough to prevent the potential for what former Defense Secretary Leon Panetta called a “cyber Pearl Harbor”?

While Congress gave FERC authority to issue fines of up to $1 million per day per violation, the fines issued to date have been puny relative to the earnings of the companies involved — less than one-tenth of one percent of the companies’ net income (see table)CIP-Violators-chart

Meanwhile, a decision by NERC and FERC to stop disclosing the identities of CIP violators — so as not to expose the violators’ vulnerabilities — has removed any reputational risk that companies might fear. Since September 2011, virtually none of those penalized for CIP violations has been named.

In announcing the new CIP rules last week, FERC commissioners emphasized their desire to emphasize compliance over punishment. That’s a reasonable approach, especially when the rules are new.

But if there is no reputational risk and the financial penalties are not material, don’t be surprised if some companies decide that it’s better business to cut corners on cybersecurity.

Rich Heidorn Jr. 

FERC Remands DR Information Requirements

FERC ruled Friday that PJM must seek commission approval for new rules requiring demand response providers to provide officer certifications and additional information on their customers.

Acting on a complaint by three demand response providers, FERC said the changes required amendments to the PJM tariff and not just its manuals. Tariff changes require commission approval while manual changes don’t.

The rules, implemented March 28, require Curtailment Service Providers seeking to participate in capacity auctions to file “Sell Offer Plans,” including information about the provider’s customers. CSPs also must have a company officer sign a certification attesting to the company’s intent to physically deliver MWs.

The demand response providers filed the complaint April 3, saying the rules create unnecessary barriers to demand response participation in PJM’s capacity markets.

The plaintiffs’ procedural victory may be short-lived, however. In a statement concurring with the order, Commissioners Philip Moeller and Tony Clark indicated they would look favorably on the changes when PJM files them with the commission. “It appears that PJM has a legitimate need to require that demand resources provide certain information to substantiate offers to supply capacity,” the commissioners wrote.

The commissioners said the information was needed to prevent uncertainty that could “degrade the very purpose of PJM’s capacity market.”

Seeking “Bright Line,” FERC Leaves BES Appeal Rules Unclear

By Rich Heidorn Jr
PJM Insider

The Federal Energy Regulatory Commission gave final approval Thursday to NERC’s revised definition of the “Bulk Electric System“ (BES), the category of transmission facilities covered by NERC reliability rules (Docket #s RM12-6, RM12-7).

The new definition eliminates regional discretion and establishes a “bright-line” threshold including most facilities operating at or above 100 kV. Excluded from the definition are certain radial facilities.

The order includes a case-by-case exemption process for entities seeking to remove from BES status facilities that they believe should be characterized as local.

Thursday’s order reaffirmed FERC’s Dec. 20 ruling in the docket and rejected rehearing requests from several parties who said the commission’s explanation of the case-by-case exemption process was unclear. The  order did little to address the commenters’ concerns, however, containing several apparent contradictions (see below).

Reason for Change:

FERC directed NERC to develop the new BES definition in Order 743 (Nov. 18, 2010), saying the current process lacked sufficient oversight and led to inconsistencies between regions.

All reliability regions except the Northeast Power Coordinating Council, Inc. (NPCC) already use the 100 kV threshold. The commission said NPCC’s classifications of 100 kV facilities as local distribution were “subjective” and inconsistent and excluded “facilities that clearly are needed for reliable operation.”

The commission said the new threshold was appropriate because most 100 kV and above facilities operate in parallel with higher voltage facilities and experience similar loading. As a result, 100 kV facilities are relied upon during contingency scenarios and failures of such lines have caused cascading outages, the commission said.

The Commission also asserted that it can designate sub-100 kV facilities as part of the BES if they are necessary for the reliability of the transmission network, noting that such facilities were a significant factor in the Arizona-Southern California outages on Sept. 8, 2011.

Impact:

NERC had previously used 100 kV as a guideline for distinguishing between transmission and local distribution systems. The new order eliminates the phrase “generally operated at voltages of 100 kV or higher” in the current definition.

In its place is a new “core definition” covering all transmission elements and real power and reactive power resources connected at 100 kV or higher. The rule also lists five facilities configurations that are typically included in the BES and four that are excluded.

Newly-included elements have 24 months from the July 1, 2013 effective date to comply with reliability standards.

The commission required two changes to the NERC proposal, saying the exclusions for radial systems should not cover generator tie lines but should cover looped configurations connected below 100 kV.

The commission said most local distribution facilities will be automatically excluded by the 100 kV threshold and the local network exclusion (see exclusion 3). For those that aren’t, the new rules allow facility owners to appeal to NERC or FERC for a case-by-case review.

The “starting point” for FERC’s review will be the seven-factor test it set out in Order 888 (April 24, 1996). The seven “indicators” of local distribution include physical characteristics (local distribution facilities are normally in close proximity to retail customers, primarily radial and lower voltage) and functional characteristics (power flowing into local distribution systems is consumed in a restricted geographical area; it rarely, if ever, flows out to be transported to another market).

Confusion over Appeal Process

How NERC’s process will interact with FERC’s was the subject of much confusion after the Dec. 20 order.

In Order 743, the commission said that determining the line between transmission and local distribution should be part of NERC’s case-by-case exception process and directed NERC to develop rules for doing so.

In the Dec. 20 order, however, FERC announced that “while NERC’s case-by-case exceptions process is appropriate to determine the technical issue of whether facilities are part of the bulk electric system, the jurisdictional question of whether facilities are used in local distribution should be decided by the Commission.” (Emphasis added.)

Several parties filed responses saying that the Dec. 20 order created a confusing and potentially duplicative process.

“Will the processes run concurrently? If not, which process (NERC’s “technical” consideration or FERC’s “jurisdictional” consideration) is conducted first?” the National Rural Electric Cooperative Association asked in a Jan. 22 request for clarification or rehearing.

The Transmission Access Policy Study Group (“TAPS”) and Electricity Consumers Resource Council (“ELCON”) called FERC’s solution confusing and unwieldy. “Would NERC be bound by prior FERC determinations? Would FERC reopen NERC determinations? Are there issues that NERC would not be permitted or required to consider, or that entities would not be permitted to raise, in the exception process? Would one process be delayed pending completion of the other process?” the organizations asked in their petition.

FERC Response

In Thursday’s order, FERC denied the rehearing requests and attempted — without much success — to address the confusion.

FERC said that entities whose facilities are not excluded by NERC under the core definition and exclusions “may appeal a final NERC exceptions process decision to the Commission.” (Paragraph 91)

But it also said entities can petition FERC directly without filing first with NERC and that FERC’s “inquiry is a distinct process not made in connection with review of NERC exception process decisions.”(P 90)

The two processes, FERC said, “are separate, not concurrent and will be used for different determinations.” (P 89)

What the commission appears to be saying in paragraph 90 is that it will independently determine questions of whether a facility is used in local distribution or is part of the Bulk Electric System.

A separate question concerns whether a facility that is not used in local distribution should nonetheless be excluded from NERC’s reliability standards because it is not necessary for the grid’s reliability. In paragraph 91, the commission appears to say that this determination is initially NERC’s call, but can later be appealed to FERC.

A NERC spokeswoman told PJM Insider yesterday that it was still reviewing the order and had no immediate comment. A FERC spokesman said he was unable to elaborate on the order.

The bottom line: Unless the commission provides further clarification,  it may fall to the appellate courts to sort out this tangle.

Highlights of CIP Version 5

CIP version 5 is comprised of 10 standards, one covering the categorization of assets and nine mitigating their risk of being compromised.

Categorization of risk

CIP–002–5 (BES Cyber System Categorization) will require entities to categorize all BES Cyber Systems according to impact that “loss, compromise, or misuse” of the systems could have on the reliable operation of the grid.

  • High Impact facilities, which include large control centers and backup centers that perform the roles of the Reliability Coordinator, Balancing Authority (for generation of 3,000 MW or more in a single Interconnection), Transmission Operator or Generator Operator.
  • Medium Impact facilities are generation and transmission facilities (similar to those identified as Critical Assets in CIP-002-4) and control centers not identified as Critical Assets in CIP-002-4.
  • Low Impact facilities are all other BES Cyber Systems. This establishes protections for systems not covered by CIP Version 4.
Risk mitigation
  • CIP-003-5 (Security Management Controls) requires that low impact systems implement policies for cybersecurity awareness, physical security, electronic access, and incident reporting. The commission ordered NERC to provide more detail on these requirements.
  • CIP-004-5 (Personnel and Training) requires programs for security awareness, cyber security training, personnel risk assessment, and access management.
    • Expands training requirements and adds identification of roles requiring training.
    • Includes rules for electronic interconnectivity and storage media;
    • Specifies that the seven-year criminal history check covers all locations where an individual has lived for six consecutive months or more, regardless of official residence; and
    • Requires companies to revoke access for terminated employees immediately, instead of within 24 hours. Also requires immediate revocation for those no longer needing access (e.g., transferred employees).
  • CIP-005-5 (Electronic Security Perimeter(s)), focuses more on discrete Electronic Access Points; requires two security measures for detecting malicious communications so that Cyber Assets do not lose all perimeter protection if one measure fails.
  • CIP-006-5 (Physical Security of BES Cyber Systems) requires a physical security plan to protect BES Cyber Systems; clarifies that high impact systems must have at least two physical access controls protecting security perimeters; increases testing from every three years to every two years.
  • CIP-007-5 (Systems Security Management) is modified to make the requirements less dependent on specific technology so that they will remain relevant for future technologies; increases and clarifies testing requirements.
  • CIP-008-5 (Incident Reporting and Response Planning) specifies incident response requirements, including one requirement to report cyber security incidents to NERC’s Electricity Sector Information Sharing and Analysis Center (ES‐ISAC) within one hour and another for after-action reviews.
  • CIP-009-5 (Recovery Plans for BES Cyber Systems) specifies requirements for recovery plans, including testing every 36 months.
  • CIP-010-1 (Configuration Change Management and Vulnerability Assessments) is a new standard that consolidates requirements from previous versions of CIP-003, CIP-005 and CIP-007; includes requirements to detect unauthorized modifications to BES Cyber Systems.
  • CIP-011-1 (Information Protection) is a new standard that consolidates the information protection requirements from previous versions of CIP-003 and CIP-007; includes requirements to prevent unauthorized access to BES Cyber System Information and specifies reuse and disposal provisions to prevent unauthorized dissemination of protected information.

Bulk Electric Systems (BES) Inclusions and Exclusions

  • I1 – Transformers with the primary terminal and at least one secondary terminal operated at 100 kV or higher unless excluded under Exclusion E1 or E3.
  • I2 – Generating resource(s) with gross individual nameplate rating greater than 20 MVA or gross plant/facility aggregate nameplate rating greater than 75 MVA including the generator terminals through the highside of the step-up transformer(s) connected at a voltage of 100 kV or above.
  • I3 – Black start Resources identified in the Transmission Operator’s restoration plan.
  • I4 – Dispersed power producing resources with aggregate capacity greater than 75 MVA (gross aggregate nameplate rating) utilizing a system designed primarily for aggregating capacity, connected at a common point at a voltage of 100 kV or above.
  • I5 – Static or dynamic devices (excluding generators) dedicated to supplying or absorbing Reactive Power that are connected at 100 kV or higher, or through a dedicated transformer with a high-side voltage of 100 kV or higher, or through a transformer that is designated in Inclusion I1.
Exclusions:
  • E1 – Radial systems: A group of contiguous transmission Elements that emanates from a single point of connection of 100 kV or higher and: a) Only serves Load. Or, b) Only includes generation resources, not identified in Inclusion I3, with an aggregate capacity less than or equal to 75 MVA (gross nameplate rating). Or, c) Where the radial system serves Load and includes generation  resources, not identified in Inclusion I3, with an aggregate capacity of non-retail generation less than or equal to 75 MVA (gross nameplate rating).
  • E2 – A generating unit or multiple generating units on the customer’s side of the retail meter that serve all or part of the retail Load with electric energy if: (i) the net capacity provided to the BES does not exceed 75 MVA; and (ii) standby, back-up, and maintenance power services are provided to the generating unit or multiple generating units or to the retail Load by a Balancing Authority, or provided pursuant to a binding obligation with a Generator Owner or Generator Operator, or under terms approved by the applicable regulatory authority.
  • E3 – Local networks (LN): A group of contiguous transmission Elements operated at or above 100 kV but less than 300 kV that distribute power to Load rather than transfer bulk-power across the interconnected system. LN’s emanate from multiple points of connection at 100 kV or higher to improve the level of service to retail customer Load and not to accommodate bulk-power transfer across the interconnected system. The LN is characterized by all of the following:
    • Limits on connected generation: The LN and its underlying Elements do not include generation resources identified in Inclusion I3 and do not have an aggregate capacity of non-retail generation greater than 75 MVA (gross nameplate rating);
    • Power flows only into the LN and the LN does not transfer energy originating outside the LN for delivery through the LN; and
    • Not part of a Flowgate or transfer path: The LN does not contain a monitored Facility of a permanent Flowgate in the Eastern Interconnection, a major transfer path within the Western Interconnection, or a comparable monitored Facility in the ERCOT or Quebec Interconnections, and is not a monitored Facility included in an Interconnection Reliability Operating Limit (IROL).
  • E4 – Reactive Power devices owned and operated by the retail customer solely for its own use.

What You Need To Know About CIP Version 5

NERC’s version 5 Critical Infrastructure Protection (CIP) rules include 10 standards, two of them new.

The commission’s conditional approval of version 5 came in the form of a Notice of Proposed Rulemaking. The commission will accept comments on the new rules for 60 days after their publication in the Federal Register.

The commission said NERC had not provided justification for setting a 24-month implementation period for High Impact and Medium Impact BES Cyber Systems, and a 36-month implementation period for Low Impact systems.

CIP version 3 (CIP-002-3 through CIP-009-3) will remain in effect until the effective date of version 5.  Version 4 (CIP-002-4 through CIP-009-4) will not take effect as originally planned.

Version 5 requires registered entities to classify all of their Bulk Electric System (BES) facilities based on their impact on reliability. The Low, Medium or High impact categories replace the previous approach, in which facilities were either covered or not covered by CIP standards.

NERC Critical Infrastructure Protection Violations 2008-2012
NERC Critical Infrastructure Protection Violations 2008-2012
Reason for Change:

Version 5 adds new cybersecurity controls and extends the scope of the systems protected by them. Many of the changes were directed by the Commission in Order 706 (Jan. 18, 2008).

The shift to identifying and categorizing high, medium and low impact systems was based on a review of the National Institute of Standards and Technology (NIST) risk management framework for categorizing and applying security controls.

Impact:

Version 5 is comprised of 10 standards, one covering the categorization of assets and nine mitigating their risk of being compromised (see Highlights of CIP Version 5). It includes 15 newly defined terms, modifications to four existing terms and retires two terms: Critical Assets and Critical Cyber Assets.

Systems at all impact levels must be within a security zone that provides protection from outside influences using a posture of “mutual distrust.” No communications crossing the perimeter is trusted, regardless of where the communication originates.

To Be Determined:

The commission approved most of NERC’s proposals but said it may require NERC to change requirements that entities “identify, assess, and correct” deficiencies. The commission said it was concerned that the phrase was “unclear with respect to the compliance obligations it places on regulated entities and … too vague to audit and enforce compliance.”

The commission said it may require NERC to either change the language or provide details for how it would be applied and how compliance could be audited.

The commission also said NERC had not provided a “clear roadmap” for what operators of low impact facilities must do to achieve compliance.

NERC proposed an implementation period of 24 months for all but those regarding low impact systems, which would have 36 months to comply.  The commission said NERC had not explained its rationale for the implementation plan and said it will order quicker compliance unless NERC or other commenters “provide reasonable justification” for the proposed time frame.

(For a full list of what’s included in CIP Version 5, click here.)

Cost Recovery Criteria OK’d

The Commission approved criteria for determining which NERC activities are eligible for cost recovery under section 215 of the Federal Power Act.

Reason for change:

A FERC audit issued last year recommended the development of the criteria.

Impact:

The criteria restrict funding to “statutory” activities such as those involving the development, monitoring and enforcement of reliability standards, along with related training.

FERC will use the criteria in approving NERC’s annual budgets. Expenses approved by FERC are eligible for cost recovery from end users.

The commission ruled that the proposed criteria were generally acceptable but required replacement of the term “involve or support” with the term “necessary or appropriate” as the basis for funding. The commission said the former term was too broad and provided no practical limitation on funding.