NERC got hit hard by Congress in the May Congressional Subcommittee Hearings, most notably on providing false information to Congress in the past. Some members of the Subcommittee went as far as saying NERC needed to be replaced as the ERO. There had to be some action plan by NERC to attempt to restore faith, and to that end a letter and press release were published today.
The highlights are:
- NERC will now have a CSO and a Critical Infrastructure Protection program as a “statutory function”
- Investigate a streamlined, emergency standards making process
- Communicate better
I have a tough time writing a logical, consistent analysis of this. On one hand it reads – – this is so hard, we have limitations on what we can do, blah, blah, blah, reorganize to better address, blah, blah, blah, communicate better. Very political and bureaucratic, but then again when Congress got involved it is undoubtably political. This may be what is required to get Congress off their back, but I doubt it. At the last meeting it was clear that FERC had ameliorated Congress and NERC was the target of wrath. I don’t see anything in this letter or press release that would change Congressional attitude. In fact, a large portion of the letter gives excuses/reasons why NERC can’t do better. Will responding weakly only harden Congressional opinion?
On the other hand, if one reads this as a statement of emphasis and improvement it does little to impress. Where is the focus on the guidance documents and changes that FERC and many asset owners had asked for. So many electric utilities are begging for guidance on what many of the broadly written requirements mean and what is going to be an acceptable solution from an audit perspective. Many because they want to do the right thing and some because they want to do the minimum necessary. If NERC wanted to add rigor they could do this through audit guideline documents.
Where is the detail on how NERC is going to accelerate the 2nd Generation of the CIP standards or perhaps a more detailed and rigorous audit schedule? [There is so much room in an audit that we have wondered how audits will be performed with any level of consistency across the country.] These actions and information would be a lot more persuasive to a security professional, maybe or maybe not to Congress, than a re-org.
To be clear, we have seen marked improvement in the level of effort and security posture of electric utilities that can be attributed to the NERC CIP standards. If they went away or were delayed it would negatively impact the security of the bulk power system. But when your boss’s boss tells you do to something and threatens to fire you, it would be wise to respond with a very strong effort. That may be the issue – – NERC may have trouble deciding which boss to listen to. The ERO portion should listen solely to FERC who has to answer to some degree to Congress, but the majority of the work NERC does is for its members, the electric utilities.