US: FERC grants NERC grace on rollout of new cybersecurity rules


The FERC has acquiesced to a request by the North American Electric Reliability Corporation (NERC) to defer implementation of several cybersecurity-related reliability standards that would have come into effect this year.

Some standards that were set to take effect on in July 2020 will now take effect on 01 October, and others are pushed out as far as April 2021. You can read the full FERC order here.

NERC filed its motion to help ensure grid reliability amid the impacts posed by COVID-19 and noted that the Commission and NERC had already taken steps in recognition of the “critical importance of the reliability of the nation’s energy sector and the steps that registered entities are taking to maintain the health and safety of their workforce and communities.”

Related Stories:
A new pandemic threat – remote working’s impact on cybersecurity
Good cyber health is critical to utilities as viral threats rise
EDP hit by cyberattack – $10.9 million ransom ordered

In order to comply with the new standards, NERC said that utilities would need to expend significant effort and resources in the coming months towards establishing and implementing processes and procedures, conducting the required coordination, and establishing documentation of compliance.

“[By] providing for additional time and flexibility to establish compliance with new obligations, entities could continue to focus their immediate efforts and resources on maintaining the safety of their workforces and communities and ensuring the reliability of the grid during this public health emergency,” said NERC in the request.

Alex Santos, CEO of Fortress Information Security said in response to the order that his company fully supports the delay.

“Our nation’s power grid remains strong and secure, but this summer will require utilities of all types and sizes across the country to come together and collaborate to identify critical risks and protect the supply chain from emerging threats.”

In the order, the FERC noted that Protect our Power, an organization that has held annual meetings at DISTRIBUTECH International for the past two years, was against the request and had lobbied for a shorter delay of only 30-days.  The group argued that a pandemic was not unexpected and that the industry should have been prepared.