Executive Overview

Just as there are various widely applicable information security standards such as ISO 17799, COBIT, and ISF, there is also a North American set of information security standards for the electricity generation/distribution industry. The sponsors for this standard are the U.S. Federal Departments of Energy and Homeland Security, which want a stable dependable electricity infrastructure across North America.

This article attempts to cut through the dizzying array of acronyms, agency names, and renamed standards, to identify for the reader the governing bodies that determine and enforce compliance—as well as their "teeth" to enforce compliance, and two concurrent timetables for meeting compliance by market participant category.

Many readers will be surprised to learn they are already late or remiss with their compliance obligations, and that final compliance requirements are far earlier than they understood.

The Players

In response to the cascading electricity supply failure of August 2003 and to terrorism threats, the federal Energy Policy Act of 2005 (EPAct)¹ appointed the Federal Energy Regulatory Commission (FERC)² to create an organization to ensure a reliable source of electricity for North America. This oversight organization is to be named the Electric Reliability Organization (ERO). The specific rule is titled FERC 18 CFR 39, Docket RMO5 -30-000, Order number 762.³

The act mandates a process for various applicant organizations to register with a selection committee to be considered for gaining the position of ERO. North American Electric Reliability Council (NERC) is the only registrant for the position of ERO. NERC's stated goal is to work with U.S. and Canadian legislators, to become certified and to begin operating as the ERO by January 1, 2007.⁴

Jurisdiction will be all of North America, with collaboration from Canadian counterparts to be provided primarily by each of the provincial governments. Canada's provinces and the National Energy Board⁵ have jurisdiction over electricity, unlike the USA, where electricity is under federal jurisdiction.

For example, the Ontario Ministry of Energy is responsible for electricity legislation in Ontario, and sponsored the Ontario Electricity Act of 1998⁶, referring to NERC or its successor as the source of new regulations which will regulate market participants.

The specific relevant sections are under definitions: "standards authority" means the North American Electric Reliability Council, any successor thereof, or any other agency or body that recommends standards or criteria relating to the reliability of transmission systems; and in section 5.(1) (d) to participate in the development by any standards authority of standards and criteria relating to the reliability of transmission systems; and in Section 34.(1) 3. To implement standards or criteria of a standards authority.

The Canadian Electricity Association⁷ is the advocate for the Canadian electricity industry, and interfaces with both the Canadian federal government and each of the provincial governments on the industry's behalf on issues such as NERC compliance.

Teeth for Enforcing Compliance

It will be the responsibility of the ERO to create "teeth" or penalties for non-compliance with their information security standards, and have the authority to enforce sanctions.

Regulatory enforcement in the U.S. will be straightforward, via the ERO, presumably NERC. In Canada, enforcement will flow to the provincial Independent Market Operators (IMOs), such as the Independent Electricity System Operator (IESO)⁸ in Ontario. However, Canadian provincial jurisdictions have the option of delegating enforcement to the ERO and to ERO Regional Councils, as an alternative to performing their own enforcement.

Thus, enforcement does not automatically flow to provincial IMOs. Regulatory compliance will also flow from contractual arrangements between market participants, from those responsible for compliance to those that are not yet responsible for compliance.

There is also the motivation of self-preservation causing participants to comply voluntarily, as no entity wants to be the cause or a conveyor of a catastrophic availability meltdown.

Timetables

Before identifying the current NERC timetables for compliance, it is useful for purposes of clarity to identify several of the NERC standards:

1. NERC 1200, urgent action. This is a current compliance standard.⁹
2. CIP-002-1 through CIP-009-1, draft 4. This is the most current standard, but still under review.¹⁰
3. NERC 1300 is an older standard. It was the update of NERC 1200. NERC 1300 was then replaced by CIP-002-1 through CIP-009-1.

The first actual timetable for compliance deals with the ratification of a final CIP-002 standard, which has a stated completion date of June 1, 2006. Figure 1 identifies NERC's proposed schedule.¹¹

Figure 1: CIP—002 Development Plan

The second concurrent activity deals with the selection of the ERO. Figure 2 identifies key times associated with this process.

Figure 2: FERC Selection of the ERO

Compliance Schedule by Responsible Entity Category

NERC has published a granular description of compliance requirements by responsible entity category. A summary of this phased compliance schedule is shown in Figure 3.

Figure 3: Summary Compliance Schedule by Responsible Entity Category

Conclusion

December 31, 2006 is an important compliance date for Interchange Authorities, Transmission Owners, Generator Owners, Generator Operators, and Load-Serving Entities. Following shortly is another compliance date of June 31, 2007 for Balancing Authorities and Transmission Operators. Compliance may also flow to market participants in contractual relationships with organizations obligated to comply.

Some organizations have misinterpreted the compliance timetable and have erroneously assumed 2010 to be the start date for their obligations. Closer scrutiny to the NERC timetable will reveal that time is of the essence for responsible entities to be well underway in their compliance efforts for NERC 1200 or for CIP-002-1 through CIP-009-1.

Notes

(1) http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=109_cong_bills&docid=f:h6enr.txt.pdf
(2) Contact ERE for a copy of the document, which was previously posted at www.nerc.com
(3) Search ERO to find http://www.ferc.gov/industries/electric/indus-act/reliability/E-1-overview.pdf
(4) Contact ERE for a copy of the document, which was previously posted at www.nerc.com
(5) NEB has jurisdiction over international power lines and Electricity Exports. http://www.neb-one.gc.ca/clf-nsi/index.html
(6) http://www.e-laws.gov.on.ca/DBLaws/Statutes/English/98e15_e.htm
(7) Contact ERE for a copy of the document, which was previously posted at http://www.canelect.ca/en/home.html
(8) http://www.theimo.com/
(9) Contact ERE for a copy of the document, which was previously posted at www.nerc.com
(10) Contact ERE for a copy of the document, which was previously posted at www.nerc.com
(11) Contact ERE for a copy of the document, which was previously posted at www.nerc.com

About the Author

Ron Lepofsky is the President and CEO of ERE Information Security Auditors. ERE provides services to electricity generation/transmission/distribution participants, large publicly traded corporations, the financial industry, manufacturing/distribution organizations, and to large law firms. ERE clients span Canada, USA and Europe.