September 21, 2020

FERC Seeks Comments on Bulk-Power Supply Chain Equipment Risks

The Federal Energy Regulatory Commission (FERC, the Commission) is seeking comments on the potential risks to the bulk-electric system posed by using equipment and services produced or provided by entities identified as risks to national security.

In a Notice of Inquiry approved at its Sept. 17 open meeting, the Commission said it is seeking comments on:

  • The extent to which equipment and services provided by such entities are used in the operation of the bulk electric system;
  • The risks to bulk electric system reliability and security posed by the use of equipment and services;
  • Whether the current Critical Infrastructure Protection (CIP) Reliability Standards adequately mitigate the identified risks; and
  • Possible actions the Commission could consider to further address the identified risks.

Since the Commission approved the existing CIP Reliability Standards on supply chain risk management in Order No. 850, there have been significant developments in the form of Executive Orders, legislation, and federal agency actions that raise concerns over the potential risks posed by the use of equipment and services provided by entities identified as risks to national security.

Huawei Technologies Company and ZTE Corporation have been identified as examples of such entities because they provide communication systems and other equipment and services that are critical to bulk electric system reliability.

Comments on the Notice of Inquiry are due 60 days after publication in the Federal Register, and reply comments are due 90 days after publication in the Federal Register.

Through its Security, Risk, and Compliance Committee (SRCC), UTC provides its members with opportunities to discuss the several different moving pieces at the federal level and how it impacts utility operations. For more information, please contact the SRCC Team.

Comments ‘Overwhelmingly’ Oppose Cable Industry’s Poles Cost-Shifting Plan

An “overwhelming” consensus agrees that a recent proposal to further tilt the pole-attachments playing field in favor of the cable industry is flawed, baseless, and contrary to federal law.

In a set of comments to the Federal Communications Commission (FCC, the Commission), UTC, the Edison Electric Institute (EEI), and the National Rural Electric Cooperative Association (NRECA) pointed to the volume of opposing views demonstrating that the July 2020 pole-attachments petition filed by the NCTA-the Internet & Television Association is essentially an exercise in cost-shifting.

The comments were filed in response to stakeholder input regarding the cable industry’s petition, which wants the FCC to require that utility pole owners, in locations unserved by broadband, should at least pay half of the costs of replacing poles that are needed to deploy new broadband connectivity services. The cable industry also wants the agency to expedite pole-attachment complaints in unserved areas, and direct pole owners to replace poles within a specific time period (Industry Intelligence, July 27, 2020).

UTC, EEI, and NRECA filed initial comments in earlier this month opposing the proposal.

In these latest comments, the utility organizations noted that the majority of commenters “overwhelmingly demonstrate” that the cable industry petition is flawed and contrary to federal law. It amounts, essentially, to an effort to shift the incremental costs of attaching new equipment to utility poles from the attaching entity to the pole owner, which is inconsistent with existing policy.

“The Commission should reject NCTA’s Petition and the further proposals advanced on the record in response to the Petition, as they ask the Commission to effectively provide attachers with a blanket discount on pole replacements, thereby shifting costs to pole owners contrary to the Commission’s longstanding cost allocation policies,” UTC, EEI, and NRECA said.

Please contact the UTC Public Policy Team with any questions.

Joint FERC-NERC Report Highlights Cyber Responses, Best Practices

Federal Energy Regulatory Commission (FERC) and the North American Electricity Reliability Corporation (NERC) staff last week released a report on cyber planning for response and recovery that outlines best practices for the electric utility industry.

The joint staffs of FERC and NERC, and the NERC Regional Entities, developed the report after interviewing subject matter experts from eight electric utilities of varying size and function. The report includes the joint staffs’ observations on their defensive capabilities and on the effectiveness of their Incident Response and Recovery (IRR) plans.

The report identifies common elements among the IRR plans: They define their scope, computer security events and incidents, staff roles and responsibilities, levels of authority for a response, reporting requirements, requirements and guidelines for external communications and information sharing, and procedures to evaluate performance.

The report also identifies best practices, finding that effective IRR plans:

  • Contain well-defined personnel roles, promote accountability and empower personnel to act without unnecessary delays, and use supporting technology and automated tools while recognizing the importance of human performance;
  • Require well-trained personnel who are constantly updating their skills and incorporate lessons learned from past incidents or tests;
  • Use baselining so personnel can detect significant deviations from normal operations, and flowcharts or decision trees to determine quickly when the utility reaches a predefined risk threshold and a suspicious set of circumstances qualifies as an event;
  • Remove all external connections when activated, and consider the possibility that a containment strategy may trigger predefined destructive actions by the malware, and employ evidence collection and continued analysis to determine whether an event indicates a larger compromise;
  • Consider the resource implications of incident responses of indeterminate length; and
  • Implement lessons learned from previous incidents and simulated activities.

The report concludes that effective IRR plans are important resources for addressing cyber threats and that effective IRR plans should be in place and response teams should be prepared to detect, contain, and, when appropriate, eradicate cyber threats before they can harm utility operations.

Through its Security, Risk, and Compliance Committee (SRCC), UTC provides its members with opportunities to discuss the several different moving pieces at the federal level and how it impacts utility operations. For more information, please contact the SRCC Team.

UTC Calendar of Events

Regional Meetings—All Virtual

Calendar of UTC committee/division conference calls

Committee/Division calls

  • Sept. 22: Utilities Broadband Committee Call—For more information, contact Brett Kilbourne
  • Oct. 13: UtiliSite Committee Call—For more information, contact Bob Lockhart
  • Oct. 13: Knowledge & Learning Committee Call—For more information, contact Bob Lockhart
  • Oct. 15: Public Policy Division Call–For more information, contact Rob Thormeyer
  • Oct. 15: Telecom Committee Call—For more information, contact Brett Kilbourne
  • Oct. 16: Security, Risk, & Compliance Committee Call—For more information, contact Bob Lockhart
  • Oct. 21: IT/OT Committee Call—For more information, contact Bob Lockhart