Protecting the Grid Again Cyber Attack


Congress Passed EPACT 2005 in Response to the 2003 Northeast Blackout

A failure of voluntary compliance with industry reliability standards led to the 2003 Northeast Power Blackout. To prevent future such blackouts Congress passed the Energy Policy Act of 2005 (EPACT 2005). EPACT 2005 gave the Federal Energy Regulatory Commission (FERC) authority to implement mandatory reliability standards and to assess penalties for non-compliance.

FERC Names NERC the Electric Reliability Organization

EPACT 2005 directed FERC to identify an independent entity, referred to as an Electric Reliability Organization, that would be responsible for developing and enforcing mandatory standards for the reliable operation and planning of the bulk-power system throughout North America.

In June, 2006 FERC named the North American Electric Reliability Corporation (NERC) as the Electric Reliability Organization (ERO). NERC now operates under the direction of FERC.

NERC’s Role as the Electric Reliability Organization

NERC operates as a 501(c)(6) not-for-profit corporation. It is run by a Board of Trustees elected by its 1900 members, all of whom are participants in the electric industry. NERC states that its role is:

to improve the reliability and security of the bulk power system in the United States, Canada and part of Mexico. The organization aims to do that not only by enforcing compliance with mandatory reliability standards, but also by acting as a catalyst for positive change — including shedding light on system weaknesses, helping industry participants operate and plan to the highest possible level, and communicating lessons learned throughout the industry.

The following video explains NERC’s history and responsilities:

In its role as ERO NERC develops the mandatory reliability standards that owners and operators of the high voltage electric transmission lines and interconnected generation facilities must now follow.  The transmission system and the generating facilities are referred to collectively as the Bulk Electric System or BES. NERC develops its mandatory standards through standing committees whose members include members of the industry. 

NERC manages eight Regional Entities (depicted in the following map) that are responsible for auditing industry compliance with the mandatory standards.

NERC’s Role in Grid Cybersecurity

NERC’s first action after being designated ERO was development of reliability standards related to the operation of BES property. Those early reliability standards related to things like tree trimming, testing of relays and breakers, physical barriers to trespassing and testing of backup systems.

NERC then moved on to mandatory reliability standards related to grid cybersecurity. NERC implemented 9 critical infrastructure protection (CIP) standards that are intended to provide for grid cybersecurity.

These 9 CIP cybersecurity standards require all owners and operators of facilities interconnected to the BES (refered to as Responsible Entities) to identify and protect their Critical Cyber Assets. NERC defines Cyber Assets generally as programmable electronic devices , including the hardware, software, and data in those devices. NERC defines Critical Cyber Assets as Cyber Assets that are essential to the reliable opeation of Critical Assets, which are defined as facilities, systems and equipment which, if made inoperable, would affect the reliable operation of the BES.

In other words, the 9 CIP cybersecurity standards require Responsible Entities (the utilities and generation owners) to identify and protect from attack all cyber equipment which, if lost, could affect the reliable operation of the Bulk Electric System. In particular, the 9 CIP cybersecurity standards require the following: 

  • Utility identification of their own Critical Cyber Assets
  • Installation of controls for Critical Cyber Assets
  • Security training for employees that operate Critical Cyber Assets
  • Establishment of electronic security perimeters around Critical Cyber Assets
  • Establishment of physical security around Critical Cyber Assets
  • Systems security management
  • Cyber security incident planning and response planning
  • Recovery plans for incidents related to Critical Cyber Assets

If one of the Regional Entities finds that a Responsible Entity has not complied with one or more of the CIP standards they will work with the Responsible Entity to correct or “mitigate” the violation. The Regional Entity may also bring the violation to the attention of the FERC which has authority to assess penalties of up to $1million per day per violation. While most of the FERC penalties have been far less than this amount, in February, 2019, FERC announced penalties totaling $10 million against Duke Energy for over 100 violations going back over three years.


I. David Rosenstein worked as a consulting engineer and attorney in the electric industry for 40 years. At various times during his career he worked for utility customers, Rural Electric Cooperatives, traditional investor owned regulated utilities and deregulated power generation companies. Each of his posts in this blog describes a different aspect of the past, present or future of the electric industry. 

Leave a Reply