State regulators, utilities and regional transmission organizations have expressed overall support for FERC's proposed approval of eight critical infrastructure protection (CIP) reliability standards, but they cited some concerns with specific language in the standards.

In recent comments filed at the Federal Energy Regulatory Commission (FERC), a number of parties said they favored the agency's proposal to eliminate all references to the term "reasonable business judgment" from the reliability standards addressing cyber security and physical security, which were submitted by the North American Electric Reliability Corp. (NERC) in August 2006 for FERC approval. The notice of proposed rulemaking, which was issued in late July, also addresses concerns related to the term "technical feasibility."

"These terms provide no measurable value to any of the requirements in the standards, and they appear to be open-ended caveats that are susceptible to abuse," said ISO New England Inc. [RM06-22].

"Applying [reasonable] business judgment to a cyber security standard is illogical and incompatible. A certain degree of discretion should be allowed, and a certain measure of flexibility is needed for successful implementation [of the standards]. But reasonable business judgment has no place in implementing cyber security," the California Public Utilities Commission (CPUC) agreed.

"The business judgment rule applies to actions of a corporation's board of directors in managing [a] corporation. Cyber security reliability standards are unrelated to business decisions. Cyber security standards are intended to protect the entire national electric grid from cyber threats."

The NERC standards would allow companies to claim an exception if it is based on "technical feasibility." Companies "could conceivably use a 'technical feasibility' argument to justify noncompliance with most of the CIP reliability standards," the CPUC said.

"An organization will incur added costs in connection with compliance with new mandatory reliability standards, and 'technical feasibility' could be a justification to avoid such costs and, consequently, place the entire bulk power system at risk."

The CPUC said FERC has proposed a compromise on the issue, which it backs, to direct the electric reliability organization (ERO) to establish a structured blueprint to allow for an exception based on technical feasibility. "Requiring an organization seeking to use such an exception to submit a justification and duration for each exception is critical," it noted.

"Moreover, allowing the ERO and the relevant RRO [regional reliability organization] to ultimately approve or disapprove each such exception makes sense. This ultimate veto power is critical. It acts as a preventive measure against any entity attempting to manipulate the system, and induces an entity to act in a responsible manner when invoking a 'technical feasibility' exception."

But the SERC Reliability Corp. believes this requirement will put too much responsibility and work on RROs. "This requirement puts broad technical expertise requirements on the regional entity to research each exception and verify that it is not feasible...We recommend that the requirement to authorize and document each exception should remain with the entity's designated senior manager," it said.

"It appears that FERC is proposing that the regions take on a much more real-time approach to enforcing the cyber security standards rather than through the traditional audit approach used for all the other standards...The workload of that will be tremendous and there seems to be no appreciation for the audit workload these CIP standards are going to bring."

©Copyright 2007 Intelligence Press Inc. All rights reserved. The preceding news report may not be republished or redistributed, in whole or in part, in any form, without prior written consent of Intelligence Press, Inc.