Commissioner LaFleur Statement

April 18, 2013
Commissioner Cheryl A. LaFleur

Docket Nos. FA11-21-000, RM13-5-000, RM12-16-000 & RM12-7-001
Item Nos. E-6, E-7, E-8 & E9

Statement of Commissioner Cheryl A. LaFleur on
Reliability Orders
“I am pleased to support the four reliability orders on today’s agenda. Three of these orders address matters critical
to the reliability of the bulk electric system, including cyber security, while the fourth provides important guidance to
NERC as it continues to carry out its function as the Electric Reliability Organization (ERO).
Cyber Security Standards
“The most significant reliability matter the Commission acts on today is NERC’s petition to approve Version 5 of the
Critical Infrastructure Protection Standards (CIP Standards). These Standards protect the cyber security of the North
American grid.
“Cyber security has received a great deal of attention in recent months, thanks in large part to President Obama’s
recent Executive Order on this issue. In my mind, the President’s recent Executive Order is more than a call for action
on specific items—it is a challenge to each of us in positions of authority and influence to build a culture of cyber
security. As the President observed a few years ago, “the great irony of our Information Age” is that “the very
technologies that empower us to create and to build also empower those who would disrupt and destroy.” We must do
our part to defend against those who would use the benefits of technology for harmful purposes.
“In the electric industry, we have been aware of cyber security as an emerging issue for a number of years. And while
the Commission will do its part under the Executive Order, we are fortunate that in the Energy Policy Act of 2005
Congress gave us independent statutory authority over the cyber security of the grid. We have exercised this authority
by requiring NERC to adopt the CIP Standards and to make modifications that improve their effectiveness.
“Earlier this week, I was honored to speak at the Woodrow Wilson Center at a forum on U.S. and Canadian efforts to
protect the cyber security of the North American grid. During the discussion, participant after participant stressed a
common theme: cyber security is a journey, not a destination. We will always be adapting because the threats are
always changing.
“At one point, I drew an analogy between the CIP Standards and the iPhone. Just when you think you have the latest,
greatest version, something new comes along—something that has more coverage, a better user interface, or more
features. The same is true with the CIP Standards. There is always room for improvement. There is always a way to
better distinguish or capture more assets.
“The Version 5 CIP Standards we propose to approve today are a significant improvement over the currently effective
Version 3 Standards and the Version 4 Standards scheduled to go into effect next April. Following an approach
recommended by the National Institute of Standards and Technology (NIST), the Version 5 Standards require, for the
first time, that all cyber systems receive some level of protection based on their impact on the grid. Because we agree
with NERC that this and other modifications represent a significant improvement over Versions 3 and 4, we propose to
approve NERC’s request to skip Version 4 and require compliance directly with Version 5.

“However, it is important to note that we do identify concerns with and ask questions about certain elements of the
proposed Version 5 Standards. For example, language requiring entities to “identify, assess, and correct” deficiencies
may result in requirements that are unclear and difficult to audit or enforce. Therefore, we seek comment on several
concerns related to this language. We also seek comment on whether the two-year implementation period for Medium
and High Impact assets and the three-year implementation period for Low Impact assets are necessary, or can be
accomplished more quickly. I look forward to receiving a broad range of comments on these issues and on all of the
issues raised in the NOPR.
“I want to thank both the standards drafting team and FERC staff that worked on all the orders we vote out today. On
CIP in particular, we heard from many people that quick action on Version 5 was important for entities unsure of
whether or not to dedicate the resources necessary to comply with Version 4 or to focus instead on compliance with
Version 5. Thank you for turning the order around so promptly.
BES Rehearing
“In addition to its action on the CIP Standards, the Commission largely affirms its Final Rule approving a new definition
of the Bulk Electric System (BES), including its findings that certain networked configurations do not qualify as radial
for the purposes of Exclusion E-1 but may qualify as local networks for the purposes of Exclusion E-3. The Commission
explains, however, that NERC is free to develop equally efficient and effective alternatives to modifying Exclusion E-3
to include the configurations that are not eligible for Exclusion E-1.
“Among other things, the Commission clarifies that:
1. Currently unregistered entities or entities with facilities that are included in the BES for the first time as a
result of the new definition do not have to comply with newly relevant Reliability Standards during the
pendency of their exception request. The Commission expects entities to file, and NERC to decide, any
exception requests during the two-year transition period approved in the Final Rule.
2. The exceptions process and the process for the Commission making local distribution determinations are
separate, not concurrent, and result in different determinations.
3. State regulators may participate in local distribution determinations, but the question of whether a facility is
local distribution is a question of fact that will be decided by the Commission; and
4. In the absence of bad faith, if an entity applies the new BES definition and determines that a facility is no
longer in the BES, that facility will be treated as non-BES and therefore exempt from relevant Reliability
Standards, upon notification of the appropriate Regional Entity. This status will continue unless NERC makes a
contrary determination. In the event NERC makes a contrary determination, the entity will not be subject to
retroactive liability for the time when it had the good-faith belief that the facility was not included in the BES.
Generator Interconnection Lines
“The Commission also proposes to approve modifications to four Reliability Standards to clarify that they apply to
generator lead lines. Notably, one of these Standards is the Vegetation Management Standard, while two others
pertain to protection systems. While NERC acknowledges that complex cases will continue to require case-by-case
determinations of what Standards apply to generator lead lines, the modifications we propose to approve today will
provide greater reliability by imposing certain basic requirements on all generator lead lines.
NERC Audit
“Finally, the Commission largely approves NERC’s criteria for determining whether an activity may be funded pursuant
to section 215 of the Federal Power Act. These criteria will guide NERC in future budget proceedings. Equally as
important, this order concludes the audit proceeding initiated by the Office of Enforcement in 2012. I am confident
that NERC and the Commission can now move forward and continue our productive relationship.”