Commissioner LafLeur Statement

November 21, 2013
Commissioner Cheryl A. LaFleur

Docket Nos. RM13-5-000, RM13-12-000, RM13-14-000, RM13-15-000, and RM13-8-000
Item Nos. E-2, E-3 & E-4

Statement of Commissioner Cheryl A. LaFleur on
Multiple Reliability Orders
“The reliability orders on today’s agenda address matters critical to the reliability of the bulk electric system. Three
of today’s orders also have broader implications for NERC’s efforts to reform its standards development process and
enforcement processes.
“Over the last year, NERC has implemented two significant policy initiatives. One involves an approach to drafting
standards that emphasizes efficiency, attention to risk, and avoidance of redundant requirements. The other is an
effort to shift the focus of enforcement away from tallying individual violations and instead fix it on the quality of a
company’s internal controls and compliance program. These initiatives complement one another. If the standards are
written efficiently to require performance results rather than documentation, there will be less confusion and fewer
violations of a purely administrative character. At the same time, when there are minor violations that do not
significantly affect the grid, NERC’s expressed intent is that they can be addressed by a review of an entity’s
compliance program rather than in an resource-intensive adversarial proceeding on each violation.
“Today’s orders on cyber security, the TOP and IRO standards, and NERC’s petition to retire certain reliability
requirements speak not only to the particular matters at issue in those proceedings, but also to both of these
initiatives. I strongly support NERC’s efforts in both the standards and enforcement areas, but emphasize that for
them to be successful the standards themselves must be clear, enforceable, and technically justified.
E-2 CIP 5 Order
“Today’s order substantially approves Version 5 of the Critical Infrastructure Protection (CIP) Standards. Version 5 is a
significant step forward for cyber security. For the first time, all bulk electric system cyber assets will be required to
receive some level of protection, commensurate with their impact on the grid. This advancement, combined with
several new cyber security controls developed by NERC, puts into place the most comprehensive cyber protections yet
approved by the Commission.
“Although the Version 5 Standards are a significant improvement over the previously effective standard, the
Commission directs two modifications that I would like to note. First, the Commission directs removal of language that
requires certain CIP requirements to be implemented in a manner that “identifies, assesses, and corrects”
deficiencies. Commenters disagreed over the obligations imposed by this language, highlighting its inherent ambiguity
and underscoring the Commission’s previously stated concerns about its enforceability and consistent application across
regions.
“As I have remarked on other occasions, all involved in the ERO enterprise must have a common understanding of the
obligations imposed by reliability standards. Otherwise, we risk creating gaps in reliability, confusion during audits,
and a compliance backlog that diverts resources away from improving reliability. And, while I strongly support NERC’s
effort to reform its enforcement process, enforcement considerations should not cause the standards themselves to be
ambiguous.

“Second, the Commission requires NERC to develop objective criteria against which NERC and the Commission can
evaluate the sufficiency of entities’ cyber protections for low impact assets. Some commenters argued against such a
modification on the grounds that it would increase their administrative burden without increasing reliability. While by
definition low impact facilities do not pose as great a risk to the bulk electric system as high or medium impact
facilities, the lack of clear standards against which NERC and the Commission can evaluate entities’ protections for low
impact facilities undermines one of the most important improvements in the Version 5 Standards: the requirement that
all bulk electric system cyber assets receive a defined level of protection commensurate with their impact on the
system. It also introduces an unacceptable level of ambiguity and potential inconsistency into the compliance process
and creates an unnecessary gap in reliability.
“However, the order does not require NERC to develop a list of specific controls for low impact facilities. NERC is free
to respond to our directive by developing such a list, but it has the flexibility to address our concerns through other
means. For example, NERC could define an appropriate set of control objectives for low impact assets, subdivide low
impact assets into different categories with different defined controls or control objectives applicable to each
subcategory, or define with greater specificity the policies that responsible entities must have in order to comply with
CIP-003-5, Requirement R2. NERC may also propose an alternative approach that addresses our concern in an equally
efficient and effective manner.
E-3 Order on TOP and IRO Standards
“Our order on the TOP and IRO standards also has broader implications for NERC’s ongoing efforts to improve the
standards development process. NERC proposed revisions to the currently effective standards with the intent to
combine similar requirements, clarify entities’ responsibilities, and eliminate redundant or ineffective requirements. I
agree with these goals and encourage NERC to continue to find ways to improve the reliability standards.
“However, NERC’s proposal in this instance goes further and eliminates transmission operators’ current obligation to
monitor and operate within all system operating limits. For example, if they are not designated as interconnection
reliability operating limits, NERC’s proposal would exclude from monitoring certain system operating limits within one
transmission operator’s area that impact another transmission operator’s area. As the order explains, experience,
including the 2011 Southwest Blackout, indicates that even system operating limits that are not designated as
interconnection reliability operating limits can initiate an outage or contribute to deteriorating conditions. In short,
we cannot always foresee what operating limits will be critical in an emergency. Therefore, we propose to remand the
standards, but give NERC and other commenters an opportunity to respond to this and other concerns we raise in the
order.
E-4 Order on Proposal to Retire Standards
“The proposal to remand the TOP and IRO standards should not be mistaken as a lack of support for NERC’s ongoing
efforts to streamline and improve reliability standards. In today’s order approving NERC’s petition to retire certain
reliability requirements, the Commission makes clear that it agrees with NERC’s plan to consolidate, retire, and
otherwise streamline requirements through the standards development process
“I believe that, taken a whole, today’s orders signal broad support for NERC’s efforts to revamp the standards
development and enforcement processes, but caution with respect to the details. I look forward to continuing to work
with my fellow Commissioners, NERC, the regional entities, and industry stakeholders on these important efforts in an
order to make the work of the ERO enterprise more efficient and sustainable.”