Regulatory Updates

DHS and National Cybersecurity Center Host Cyber Security Webinar

shutterstock 387869113 1

The Department of Homeland Security (“DHS”) and the National Cybersecurity and Communications Integration Center (“NCCIC”) joined together to host an unclassified webinar to brief on Russian government cyber activity against critical infrastructure. The webinar series is offered in response to Russian government actions targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. The webinar presentation included an overview of recent attack and various common techniques used to infiltrate targets.

The presentation focused its discussion on the penetration of corporate networks and the targeting of control systems. NCCIC emphasized that often threat actors will first attack a “staged target” that has a preexisting relationship with the “intended target.” This strategy is undertaken in order to lay the groundwork for sending phishing emails from what seems like a trusted source, but which actually contains malware. If not careful, clicking on links or opening attachments from these sources can provide threat actors access to the credentials that could open the entire corporation, along with their customers, to a cyberattack.

NCCIC provided recommendations as to protective measures to be undertaken by all corporations. First, corporations should conduct an initial triage of their systems and practices including searching for known indicators in their historical logs. NCCIC also emphasized not whitelisting network traffic with any trust partners because of the possibility they are a staged target. Second, corporations must continue to monitor their systems and anticipate so-called spearphishing and water hole attempts. Finally, NCCIC recommended blocking all external Server Message Block (“SMB”) network traffic as well as require multi-factor authentication for all external interfaces. NCCIC also reemphasized that they can be contacted by any entity that has questions or would like to receive an analysis on their current system. NCCIC can be contacted at This email address is being protected from spambots. You need JavaScript enabled to view it. or at 1-888-282-0870.

A copy of the presentation can be found here: https://www.us-cert.gov/sites/default/files/c3vp/Russian_Activity_Webinar_Slides.pdf

For more information, please contact Kristen Connolly McCullough or Sean Neal

FERC Split on Consideration of Greenhouse Gas Emissions in Pipeline Permitting – Proceeds with Notice of Inquiry

shutterstock 111975017 1

On June 12, 2018, the Federal Energy Regulatory Commission (FERC) issued an order that implicates the scope of environmental review in pipeline permitting decisions under section 7 of the Natural Gas Act. See Tennessee Gas Pipeline Co., LLC, Docket No. CP15-77-001, order denying reh’g and dismissing clarification. The June 12 Order applied a new policy announced in a May 2018 pipeline certificate proceeding, which limits FERC’s review and disclosure of upstream and downstream greenhouse gas emissions as part of FERC’s National Environmental Policy Act responsibility and public interest determination under the Natural Gas Act. See Dominion Transmission – New Market Project, Docket No. CP14-497. Specifically, a majority of Commissioners found that the environmental effects of natural gas production are neither caused by a proposed pipeline nor reasonably foreseeable consequences of FERC’s approval of a proposed pipeline. In the absence of record evidence showing that the project’s specific adverse consequences are against the public interest, FERC limited its environmental review to exclude consideration of greenhouse gas emissions. FERC distinguishes Sierra Club v FERC, where the D.C. Circuit ordered FERC to determine downstream usage, asserting that downstream use of the gas was foreseeable in that particular case due to the pipeline project delivering natural gas to identifiable gas-fired electric generating plants.

Commissioner Richard Glick dissented from the June 12 order, as he did in the May 2018 decision that announced the new policy, writing that “a project’s upstream and downstream natural gas production and consumption are indirect environmental impacts that should be considered when reviewing applications to address public interest.” Commissioner Glick found that the public interest cannot be met without adequate environmental reviews to address rapid climate change. Though she disagrees with FERC’s new policy, Commissioner LaFleur issued a concurring opinion in support of the proposed pipeline. Citing her independent analysis of the best available information, Commissioner LaFleur concluded that the downstream and upstream impacts do not outweigh the pipeline’s public interest benefits.

In April 2018, FERC issued a Notice of Inquiry, Docket No. PL18-1-000, that seeks comment on its review under section 7 of the Natural Gas Act. The Notice of Inquiry specifically addresses whether FERC should consider upstream production and downstream consumption greenhouse gas emissions impacts in its certification proceedings.

For more information on these proceedings, please contact: Pete ScanlonJason Gray, or Kathleen Mazure

California Regulators Hold “Green Book” En Banc Conference to Debate California Customer Choice

C C C Paper cropped

On June 22, 2018, the California Public Utilities Commission (“CPUC”) and California Energy Commission (“CEC”) convened an En Banc hearing on the recently released, Draft Green Book which details the evolving framework of California Customer Choice. The agencies held the En Banc in light of the explosive growth of Community Choice Aggregators (“CCAs”) in California and growing options for retail Direct Access, and to discuss possible changes to be considered with respect to California’s regulatory framework. The panel discussions included representatives from CCAs, Investor Owned Utilities (“IOUs”), elected officials, Electricity Service Providers (“ESPs”), trade organizations and academia. Significant parts of the discussion involved the question of, in loosening state regulatory control, how California could avoid unintended outcomes and breakdowns in services as had occurred in the 2000-2001 Energy Crisis.

Mayor Sam Liccardo of San Jose and Supervisor Kathrin Sears of Marin County, and Chair of Marin Clean Energy, participated in panels highlighting the success and potential of CCAs in California. They both emphasized that the local customers desired their electricity to be produced from renewable resources and at lower rates than incumbent utilities, which CCAs are able to offer. They underscored that CCAs are run by local, elected officials who are held accountable to their constituents. A key aspect which has made CCAs successful is their flexibility to innovate and to pursue renewable resources at affordable rates.

The En Banc meeting was bookended by the remarks of an Ad Hoc Committee comprised of former Federal Energy Regulatory Commission Chair, Pat Wood, and Natural Resources Defense Council Senior Attorney, Ralph Cavanagh. They provided observations on the tensions between the advantages of the flexibilities offered by the new energy organizations and the benefits of centrally decided procurement decisions.

The CPUC stated that they hope to have updated views, in the form of a Final Green Book, available to the public in October. In the meantime, the CPUC requested stakeholders to submit comments in both CEC Docket No. 18-IEPR-01 and to the CPUC Consumer Choice mailbox (This email address is being protected from spambots. You need JavaScript enabled to view it.) by July 11, 2018.

For further information on CCAs, please contact Michael Postar, Sean M. Neal, Peter Scanlon, Bhaveeta K. Mody, or Andrew B. Art.

Moody’s Issues Credit Rating to a Community Choice Aggregator

shutterstock 603025976

On May 16, 2018, Moody’s Investors Service, a financial and economic rating agency, issued its first ever credit rating to a Community Choice Aggregator (CCA). Marin Clean Energy, founded in 2008 pursuant to a Joint Exercise of Powers Act, is the first California CCA, and the first ever to receive a credit rating, Baa2, subject to moderate risk. CCAs are administered by local government authorities with a mission to provide competitive retail electric alternatives to Investor Owned Utility providers. CCAs have built new, local renewable generable facilities led by early efforts from Marin Clean Energy. CCAs also allow for communities to join together to purchase electricity on behalf of their community members, typically to provide access to carbon-free resources.

Moody’s credit rating highlights Marin Clean Energy’s 2017 upward growth in retail sales which accounts for 62% of renewable energy and its customer base currently stands at more than 400,000 customers.

Read more ...

NIST Releases Updated Version of Cybersecurity Framework

NIST logo


On April 16, 2018, the Department of Commerce’s National Institute of Standards and Technology (NIST) issued an updated version of its Framework for Improving Critical Infrastructure Cybersecurity, commonly referred to as the Cybersecurity Framework. The new version, Cybersecurity Framework, Version 1.1, was published following a public comment period, stakeholder workshops, and two draft versions released in 2017. The Cybersecurity Framework was first introduced in February 2014, when Version 1.0 was first published. The current update, available here, includes updates on risk self-assessment, identity and authentication, vulnerability assessments, and standardized terminology to better manage supply chain cyber risks.

The Cybersecurity Framework is intended to be an ongoing public-private effort to address cybersecurity risks in a wide range of technology environments and businesses that utilize critical infrastructure. The Cybersecurity Framework was first envisaged by Presidential Executive Order No. 13636 in 2013, available here, which directed NIST to produce a set of voluntary standards for physical and cyber critical infrastructure assets that would establish standards that are cost-effective, risk-based, and replicable.

Read more ...

NERC Fines Registered Entity in WECC $2.7 Million for Cyber Security Breach

NERC Photo2

The North American Electric Reliability Corporation (NERC) has fined an unnamed power company $2.7 million for unwittingly exposing critical cybersecurity data that could have allowed hackers to gain access to its systems, according to a notice recently filed with the Federal Energy Regulatory Commission. NERC, which oversees the reliability of the U.S. bulk power system, said in a February 28, 2018 Notice of Penalty that the unidentified power company had reached a settlement with the Western Electricity Coordinating Council (WECC), which handles grid reliability for the Western Interconnection.

Specifically, a third-party contractor to the utility exceeded its authorized access by improperly copying certain data from the utility’s network environment to the contractor's network environment, where it was no longer subject to the utility’s visibility or controls. The contractor failed to comply with the utility’s information protection program on which it was trained. While the data was on the contractor's network, a subset of live data was accessible online without the need to enter a user ID or password. WECC determined the utility failed to adequately implement its program to identify, classify, and protect information associated with critical cyber assets, as required by Reliability Standard CIP-003-3 R4, as well as failed to implement adequately a program for managing access to protected information related to critical cyber assets, as required by Reliability Standard CIP-003-3 R5.

Please contact Lisa Gast , Kristen Connolly McCullough and Sean Neal for further information on compliance with NERC Reliability Standards. 

FERC FINDS PJM TRANSMISSION OWNERS’ SUPPLEMENTAL PROJECT PLANNING PROCESS IS NOT IN COMPLIANCE WITH ORDER NO. 890

shutterstock 356768579

On February 15, 2018, the Federal Energy Regulatory Commission (“FERC”) issued an order[i] finding that the transmission planning practices employed by PJM Interconnection, LLC (“PJM”) Transmission Owners (“TOs”) for developing a specific category of transmission projects (called “Supplemental Projects”)[ii] are inconsistent with Order No. 890’s transmission planning principles. The PJM Order is accessible here.

In particular, based on the record of evidence in the Show Cause proceeding it had initiated in August 2016 under section 206 of the Federal Power Act (“FPA”),[iii] FERC found that the PJM TOs’ practices for planning Supplemental Projects violate Order No. 890’s coordination and transparency principles. FERC thus found that the associated provisions of the PJM Operating Agreement and the PJM Open Access Transmission Tariff (“OATT”) are not just and reasonable and are unduly discriminatory and preferential.

Read more ...

NIST Provides Draft Update to Cybersecurity Framework

 NIST logo

On December 5, 2017, the Department of Commerce’s National Institute of Standards and Technology (NIST) issued an update to its Framework for Improving Critical Infrastructure Cybersecurity, commonly referred to as the Cybersecurity Framework. This update is part of the first set of updates to the Cybersecurity Framework since it was first introduced in February 2014, when Version 1.0 was first published. The current update, available here, is the second draft of Cybersecurity Framework Version 1.1. The update is the result of a series of workshops and public comment review periods since the launch of the original Cybersecurity Framework in 2014.

The Cybersecurity Framework was first envisaged by Presidential Executive Order No. 13636 in 2013, available here, which directed NIST to produce a set of voluntary standards for physical and cyber critical infrastructure assets that would establish standards that are cost-effective, risk-based, and replicable. NIST’s role in producing these voluntary standards was subsequently codified in statute by the Cybersecurity Enhancement Act of 2014, available here. The Federal Energy Regulatory Commission (FERC) often directs the nation’s self-governing electric reliability organization, the North American Electric Reliability Corporation (NERC), to adopt NIST guidelines.

Read more ...