NERC Makes Cyber Security Standards More Stringent by Taking Away “Reasonable Business Judgment”

On May 6, 2009, the North American Electric Reliability Corporation (“NERC”) approved revisions to eight cyber security standards for America’s bulk power system as part of their standards revision work plan. The primary revision was the removal of “reasonable business judgment” language in response to concerns FERC voiced in Order No. 706 issued on January 18, 2008.

When the Commission conditionally approved the original NERC standards, FERC directed NERC to remove from all language that gave utilities flexibility in complying with the standards based on “reasonable business judgment.” Instead, NERC was told to create specific conditions that allow utilities to invoke a “technical exception.” FERC specifically said cost and other business factors do not excuse a stakeholder from security compliance that affects the entire grid.

NERC has recently urged stakeholders to take a more active role in identifying critical assets that are vulnerable to attacks as part of their precautionary measures and self-audits (see April 17, 2009 edition of the WER). NERC’s new standards were announced just one day before a Senate hearing on how to protect the national energy infrastructure from cyber security threats.

The standards carry stiff penalties for noncompliance. An entity found in violation of the current standards may be fined up to $1 million per day, per violation, and auditing for the current cyber security standards in effect will begin July 1, 2009. The revisions still need to filed with and approved by FERC prior to being enforceable.