The top U.S. grid security monitor is pushing the Federal Energy Regulatory Commission to delay seven cybersecurity and workforce standards set to take effect this year, citing the COVID-19 pandemic.
The North American Electric Reliability Corp. said its motion to postpone the rules is aimed at ensuring "grid reliability amid the impacts posed by the coronavirus outbreak, a public health emergency that is unprecedented in modern times." The nonprofit sets cyber and physical security requirements for large U.S. electric utilities under oversight from FERC.
NERC is requesting to delay by six months enforcement of two training standards set to start Oct. 1 and to delay five other reliability standards slated for July 1, including three extra months to comply with a significant rule that covers utilities’ plans for supply chain cybersecurity.
"The added flexibility provided by a three-month delay would allow entities to recover from the impacts of the coronavirus outbreak before implementing new controls and new supply chain processes," NERC said in the filing.
FERC must still approve the motion for the extensions to take effect. The agency has already said it will relax enforcement for some regulations as well as halt new audits until after July 31 (Energywire, April 3).
NERC and FERC have previously said they will be lenient when it comes to certain standards covering facility maintenance and professional certifications for grid operators, among other areas (Energywire, March 19).
Several federal agencies have moved to relax regulations as industries and businesses grapple with the pandemic. Late last month, EPA said it will show discretion to companies that miss deadlines or exceed pollution limits, garnering harsh criticism from Democratic lawmakers (Greenwire, March 31).
NERC said that it will examine the need for additional delays, as there are "significant uncertainties regarding the duration of the outbreak and the subsequent recovery."
The grid overseer also asked that FERC speed up the period usually required to answer. The agency approved that request and said it would respond to NERC’s motion by Thursday.
"We do not comment on items that are pending before the commission. But as the chairman [Neil Chatterjee] has said, the commission will be giving requests for coronavirus relief expedited consideration and the highest priority," said FERC spokeswoman Mary O’Driscoll.
Tom Alrich, a grid security consultant, said he has been calling on NERC to delay the upcoming standards due to the spreading virus.
"COVID-19 has just been getting worse by the day," said Alrich. "Probably these utilities are still going to be working from home, at least in June, maybe even July 1, when the standard was due. You just can’t do it under those circumstances."
Delia Patterson, senior vice president of advocacy and communications and general counsel at the American Public Power Association, said that the group is "greatly appreciative of NERC’s action to defer implementation of several reliability standards as the electric utility industry works to respond to COVID-19."
"We are confident that NERC will continue to monitor the situation in order to determine whether additional implementation deferrals are necessary," said Patterson.
Phil Moeller, the Edison Electric Institute’s executive vice president of the business operations group and regulatory affairs, said that the industry group "greatly appreciate[s] the ongoing leadership and support of NERC and the FERC" as utilities grapple with the coronavirus.
"EEI’s member companies remain committed to compliance with security and reliability standards, and they will continue the critical work of further securing their systems and their supply chains," Moeller said.
Jim Cunningham, executive director of Protect Our Power, a grid security advocacy organization, said that although he appreciates the reason for NERC’s motion, the risk that hackers pose to the supply chain for the electric grid is a crisis unto itself. He pointed out that a recent report from the Cyberspace Solarium Commission singled out supply chain security dangers as a priority for U.S. policymakers (Energywire, March 12).
"We should never lose the sense of urgency in dealing with one crisis as a result of what we’re doing to resolve another crisis," said Cunningham.
He also said that because the supply chain standard was approved 15 months ago, many utilities may already be prepared for complying with it by July 1, and that FERC could consider giving them 30 additional days as opposed to three months.
Tyson Slocum, energy program director at Public Citizen, said that "it is a challenging time for any industry to implement some sort of new standard," and NERC is making a "reasonable request."
"It’s transparent. We know about it, and FERC’s response will be public," Slocum said.