Search
December 5, 2025

Posted on

What You Need To Know About CIP Version 5

NERC’s version 5 Critical Infrastructure Protection (CIP) rules include 10 standards, two of them new.

The commission’s conditional approval of version 5 came in the form of a Notice of Proposed Rulemaking. The commission will accept comments on the new rules for 60 days after their publication in the Federal Register.

The commission said NERC had not provided justification for setting a 24-month implementation period for High Impact and Medium Impact BES Cyber Systems, and a 36-month implementation period for Low Impact systems.

CIP version 3 (CIP-002-3 through CIP-009-3) will remain in effect until the effective date of version 5.  Version 4 (CIP-002-4 through CIP-009-4) will not take effect as originally planned.

Version 5 requires registered entities to classify all of their Bulk Electric System (BES) facilities based on their impact on reliability. The Low, Medium or High impact categories replace the previous approach, in which facilities were either covered or not covered by CIP standards.

NERC Critical Infrastructure Protection Violations 2008-2012
NERC Critical Infrastructure Protection Violations 2008-2012
Reason for Change:

Version 5 adds new cybersecurity controls and extends the scope of the systems protected by them. Many of the changes were directed by the Commission in Order 706 (Jan. 18, 2008).

The shift to identifying and categorizing high, medium and low impact systems was based on a review of the National Institute of Standards and Technology (NIST) risk management framework for categorizing and applying security controls.

Impact:

Version 5 is comprised of 10 standards, one covering the categorization of assets and nine mitigating their risk of being compromised (see Highlights of CIP Version 5). It includes 15 newly defined terms, modifications to four existing terms and retires two terms: Critical Assets and Critical Cyber Assets.

Systems at all impact levels must be within a security zone that provides protection from outside influences using a posture of “mutual distrust.” No communications crossing the perimeter is trusted, regardless of where the communication originates.

To Be Determined:

The commission approved most of NERC’s proposals but said it may require NERC to change requirements that entities “identify, assess, and correct” deficiencies. The commission said it was concerned that the phrase was “unclear with respect to the compliance obligations it places on regulated entities and … too vague to audit and enforce compliance.”

The commission said it may require NERC to either change the language or provide details for how it would be applied and how compliance could be audited.

The commission also said NERC had not provided a “clear roadmap” for what operators of low impact facilities must do to achieve compliance.

NERC proposed an implementation period of 24 months for all but those regarding low impact systems, which would have 36 months to comply.  The commission said NERC had not explained its rationale for the implementation plan and said it will order quicker compliance unless NERC or other commenters “provide reasonable justification” for the proposed time frame.

(For a full list of what’s included in CIP Version 5, click here.)

Posted on

Cost Recovery Criteria OK’d

The Commission approved criteria for determining which NERC activities are eligible for cost recovery under section 215 of the Federal Power Act.

Reason for change:

A FERC audit issued last year recommended the development of the criteria.

Impact:

The criteria restrict funding to “statutory” activities such as those involving the development, monitoring and enforcement of reliability standards, along with related training.

FERC will use the criteria in approving NERC’s annual budgets. Expenses approved by FERC are eligible for cost recovery from end users.

The commission ruled that the proposed criteria were generally acceptable but required replacement of the term “involve or support” with the term “necessary or appropriate” as the basis for funding. The commission said the former term was too broad and provided no practical limitation on funding.

Posted on

Cyber Asset Definitions

Programmable electronic devices and communication networks including hardware, software and data.

Bulk Electric System (BES) Cyber Asset

A cyber asset which, if lost, damaged or misused would within 15 minutes affect the reliable operation of the grid. Redundancy of affected facilities is not considered when determining adverse impact. The definition excludes assets connected to the grid for 30 consecutive days or less that are used for data transfer, vulnerability assessments, maintenance, or troubleshooting.

Posted on

FERC OKs New Reliability Standards

Expanded Cybersecurity Focus

New Approach for Generators

WASHINGTON — The Federal Energy Regulatory Commission gave preliminary approval Thursday to a rewrite of cybersecurity rules and set a “bright line” requiring most facilities at 100 kV or higher to abide by them.

The commission issued four orders approving proposals by the North American Electric Reliability Corp. (NERC). Included were:

  • A new definition of transmission facilities covered by NERC reliability rules that upgrades the longstanding 100 kV threshold from a guideline to a directive. Regional discretion on the definition of Bulk Electric Systems (BES) is eliminated. (more)
  • Version 5 Critical Infrastructure Protection (CIP) standards, which replace the current “in or out” designations with a tiered approach which classify assets as high, medium or low impact. The commission said version 5’s improvements were important enough that companies now operating under CIP version 3 will skip CIP Version 4, due to take effect date, April 1, 2014, and transition directly to version 5. (more)
  • New rules for generator interconnections that will eliminate the need for most generators to register as transmission operators. (more)
  • Criteria for determining which NERC activities are eligible for cost recovery. (more)
Posted on

New Reliability Rules for Generator Interconnections

The commission issued a Notice of Proposed Rulemaking for four new reliability standards addressing vegetation management and facility connection requirements for generator interconnection facilities (also known as generator tie lines).

Reason for Changes:

FERC had encouraged NERC to identify reliability standards specific to generator owners and operators with interconnection facilities including transmission lines. Eliminating the need for generators to register under the transmission function will allow them to focus on reliability standards specific to them, NERC said.

Impact:

  • FAC-001-1 requires a Generator Owner to publish facility connection requirements when it executes an agreement to evaluate the reliability impact of interconnecting a third party facility to its tie line.
  • FAC-003-3 requires a Generator Owner to perform vegetation management on its tie line.

Standards PRC-004-2.1a (Analysis and Mitigation of Transmission and Generation Protection System Misoperations) and PRC-005-1.1b (Transmission and Generation Protection System Maintenance and Testing) establish generation owners’ responsibility for the FAC requirements as they apply to tie lines.

In most cases, NERC said, these are the only reliability standards that apply to generator interconnection facilities. The changes do not affect the requirement that generators comply with other reliability standards unrelated to tie lines, such as those covering system restoration plans and notification of equipment failures.

Generators currently registered under transmission functions will have to apply to change their certifications under the NERC Rules of Procedure.

Posted on

MRC Preview: Black Start Compensation; DR “Fatigue;” UTCs; CFTC Response on Agenda

Below is a summary of the issues scheduled to be brought to a vote at Thursday’s Markets and Reliability Committee meeting. Each item is listed by agenda number, description and projected time of discussion, followed by a summary of the issue and links to prior coverage in PJM Insider.

Rich Heidorn will be in Wilmington covering the votes. Sign up for his Twitter feed to get real-time alerts on when these issues come up for discussion, and see next week’s newsletter for a full report.

2. PJM MANUALS (9:10-9:20)

The committee will be asked for endorsements of changes to Manual 13: Emergency Operations related to the integration of East Kentucky Power Cooperative.

East Kentucky Coop to Join PJM

Tariff Changes OK’d for East Kentucky Integration

3.  SYSTEM RESTORATION STRATEGY SENIOR TASK FORCE (SRSTF) (9:20-9:50)
  • Transmission operators providing cranking paths for black start generators would recover capital costs over five years under a proposal by the System Restoration Strategy Task Force that the MRC will be asked to approve. The task force rejected an alternate proposal that would have extended capital recovery over the entire asset life.

MRC First Readings: Capital Cost Recovery for Black Start Generators

  • MRC will be asked to approve on first read a revised charter that will expand the scope of the task force’s work. The revised charter would include consideration of “back stop options.”
4. PROVISION OF E-TAG DATA TO ISOS, MMUS, AND FERC (9:50-10:00)

PJM needs to make revi­sions to the con­fi­den­tial­ity pro­vi­sions of its tar­iff to com­ply with FERC Order 771,  requir­ing pro­vi­sion of E-Tag data to Inde­pen­dent Sys­tem Oper­a­tors, Mar­ket Mon­i­tor­ing Units and FERC.

MRC First Readings: Provision of E-Tag Data

5. FREQUENCY CAPABILITY VERIFICATION (10:00-10:15)

Ken Carretta, of PSEG, will ask the MRC to endorse a problem statement exploring whether PJM has sufficient safeguards to ensure that Emergency Demand Response resources perform as needed.

PJM expects DR to be called on increasingly in the future due to declining installed generation reserve margins. That has led to concern by some that performance may suffer as a result of DR “fatigue.”

At MRC’s March 28 meeting, curtailment service providers said that there was no evidence of “fatigue” and alleged the proposal was anti­competitive. Carretta said reporting requirements that could result from the inquiry would be no more onerous than those for generators.

Cool Reception for DR “Fatigue” Study

Demand Response Calls Expected to Grow in 2014

6. UP-TO CONGESTION TRANSACTION ENHANCEMENT (10:15-10:40)

PJM delayed a vote on its proposal to limit Up-to Congestion (UTC) bids Feb. 28 when MRC members asked for a broader review to come up with a consensus definition of the bidding technique.

PJM is proposing the cap because high bid volumes can make it difficult for the RTO’s day ahead markets software to reach solutions. Although the proposal was supported by financial market players who are the predominant users of UTC, other members balked, calling for a broader review of the impact of UTCs, which have grown in popularity since their creation in 2000.

MRC will be asked to approve bid limits similar to those that apply to increment offers and decrement bids for inclusion in Manual 11. The proposed revisions also add the following definition of Up-To Congestion transactions to the OA and Tariff:

“A Market Participant may elect to submit in the Day-ahead Energy Market a form of Virtual Transaction that combines an offer to sell energy at a source, with a bid to buy the same megawatt quantity of energy at a sink where such transaction specifies the maximum difference between the Locational Marginal Prices at the source and sink. The Office of Interconnection will schedule these transactions only to the extent this difference in Locational Marginal Prices is within the maximum amount specified by the Market Participant.”

Facing Opposition, PJM Delays UTC Cap Pending Broader Review

7. APPLICATION OF FTR FORFEITURE RULES TO UP-TO CONGESTION TRANSACTIONS (10:40-11:00)

PJM will ask MRC approval to apply FTR forfeiture rules to Up-to Congestion transactions. The action will require changes to the OA, Tariff and PJM Manual 6: Financial Transmission Rights.

The rules are intended to prevent market participants from submitting virtual bids that boost the value of their FTRs.

On March 28, the MRC rejected PJM’s proposed tariff changes specifying how the FTR forfeiture rules are applied to increment offers and decrement bids.

PJM, Monitor in Stalemate on FTR Forfeiture Rule

8. COMMODITY FUTURES TRADING COMMISSION (CFTC) EXEMPTION ORDER (11:00-11:30)

PJM announced April 7 that it may deny trading privileges to as many as 55 small market participants if they are unable to qualify for the Dodd-Frank exemption approved by the Commodity Futures Trading Commission last month.

MRC will be asked to approve changes to the Operating Agreement and Tariff to comply with conditions in the CFTC order and to implement PJM’s response to it.

CFTC Approves Dodd-Frank Exemption for RTOs

PJM May Bar Some Financial Players from Trading; 55 Companies Affected by Response to CFTC Order

Posted on

FERC Stands Firm on Reporting Requirements – UPDATE

By Rich Heidorn Jr.
PJM Insider

WASHINGTON – Large electric cooperatives and public power agencies must begin reporting their “surplus” power trades to the Federal Energy Regulatory Commission, the agency said today, standing firm on an order it issued in September.

The new reporting requirements apply to more than 50 cooperatives and public power agencies otherwise exempt from FERC authority that have “more than a de minimis market presence” – defined as more than 4 million MWh in annual wholesale sales.

The newly-affected entities must begin recording their transactions in Electric Quarterly Reports (EQRs) for the third quarter of 2013.

In denying a request for reconsideration, the commission also reiterated its requirement that all EQR filers begin including electronic tag (e-Tag) data in reporting their transactions.

Reason for change: 

Order 768, issued Sept. 21, is a response to Congress’ command in the 2005 Energy Policy Act to improve price transparency in wholesale electric markets.

The commission said the reporting requirements were necessary because non-public utilities are responsible for about 29% of wholesale sales in the 48 contiguous states (excluding ERCOT).  They represent 60% or more of sales within the Western Electric Coordinating Council (WECC), SERC Reliability Corp. and Florida Reliability Coordinating Council (FRCC) FERC said.

The American Public Power Association said the commission’s estimate overstates the role of non-public utilities, which it estimated at 19% of sales nationally. APPA said the data FERC used, from the Energy Information Administration’s (EIA’s) Form 861, are inaccurate because EIA reports a power marketer’s sales as being from a single region although it may make sales in several regions.

Impact:

The reporting requirements cover only “surplus” sales. Excluded from reporting are cooperative and joint agency sales to members or long-term, cost-based sales required by state or federal law.

The order may affect more than 40 public power utilities whose sales top 4 million MWh, according to data compiled by the American Public Power Association.  Among the largest agencies are several PJM members, including American Municipal Power, Inc., North Carolina Municipal Power Agency No. 1, Indiana Municipal Power Agency and WPPI Energy. (To help PJM market participants in their data gathering, the Market Settlements Reporting System (MSRS) provides reports formatted to match the EQR structure.)

About half of the 60 largest generation and transmission cooperatives also are likely to be covered by the new rule, according to a former FERC staff attorney who had analyzed the order’s impact.

FERC estimated in Order 768 that the rule would cover about 53 non-public utilities above the threshold.

The order also added new fields in the EQR for:

  • reporting the trade date and the type of rate;
  • identifying the exchange used for a sales transaction, if applicable;
  • reporting whether a broker was involved; and
  • reporting electronic tag (e-Tag) ID data.

It also standardized reporting of prices and quantities for energy, capacity and booked out transactions and requires entities to disclose whether they report their sales transactions to an index publisher.

The Commission did cut two requirements, eliminating reporting on time zones and Data Universal Numbering System (DUNS) information.

Industry Reaction:

The National Rural Electric Cooperative Association said that FERC overestimated the impact of its members on wholesale markets and that the EQR expansion would not improve transparency.

However, the Pennsylvania Public Utility Commission supported the reporting requirement, saying it will help its ability to monitor retail markets for anti-competitive behavior. Pennsylvania has 13 rural electric cooperatives and about 35 municipal electric utilities.

Market monitors for PJM, MISO, NYISO, ISO-NE, SPP and California ISO also supported the requirement. The monitors noted that the commission’s market-based rate program is based on “regulation through competition,” and is thus dependent on mitigating market power.

FERC contacts:

Maria Vouras, Office of Enforcement, (202) 502-8062, Maria.Vouras@ferc.gov
Christina Switzer, Office of the General Counsel, (202) 502-6379, Christina.Switzer@ferc.gov

Posted on

PJM Reconsiders Adders on Cost-Capped Generators

PJM will evaluate whether it’s time to end extra compensation for generators that frequently run on cost-based offers under market power mitigation rules.

The Market Implementation Committee approved an issue charge by Market Monitor Joseph Bowring to review the “adders” for frequently mitigated units (FMU). Bowring said the adders are no longer needed because of the introduction of the capacity market in 2007 and changes to scarcity pricing rules in 2012.

FMUs were allowed adders in 2006 to ensure that they cover their avoidable costs. The adders are graduated: Generators that are cost capped for 60% of their running hours receive an adder of either 10% of their cost-based offer or $20 per MWh; those capped for 80% or more of their hours can receive $40 per MWh. Similar rules apply to “associated units,” which share physical and economic characteristics to FMUs.

Bowring acknowledged that less than 1% of megawatts sold last year were offer capped. But Bowring said that because the affected units are concentrated in load pockets “it can have more significant impacts locally.” Of the 133 units eligible for FMU or AU status in at least one month during 2012, 25 (19%) were FMUs or AUs for all months.

The monitor won support for the issue charge after agreeing to modify it so that it won’t be pursued until the fourth quarter; some members wanted time to evaluate the impact of scarcity pricing during this summer. Bowring also agreed to remove from the issue charge his conclusion that the reasons for the creation of the adders no longer exists.

Dave Pratzon, who represents generators, said he believed the issue would prove more complicated and time consuming than Bowring suggested. “I think this issue has a lot more hair on it,” Pratzon said.

Posted on

CIP Audit Has No Findings

ReliabilityFirst Corp. completed its Critical Infrastructure Protection (CIP) audit of PJM last week with no findings. The audit covered 29 standards, Mark Kuras, PJM Senior Lead Engineer for NERC and Regional Coordination, told the Planning Committee.

Kuras said auditors had seven recommendations, most related to a lack of clarity in PJM’s manuals regarding control room operators’ responsibility for reliability functions.

They also indicated that the transmission line naming conventions used by transmission owners could result in violations in a future audit, Kuras said. NERC names lines based on voltage levels and the substations at either end; transmission owners identify lines by numbers.

“It’s an easy fix for PJM but there will be a lot of pushback from TOs,” Kuras said.

Kuras also said PJM and NERC are still in settlement discussions over violations resulting from the 2010 CIP spot check and Order 693 audit.

Posted on

New Modeling OK’d for Combined Cycle Plants

PJM will change the way it models combined cycle generators in its least cost dispatch.

The Operating Committee voted overwhelmingly last week to switch to a “composite” model. This will allow combined cycle owners to bid their units in multiple configurations, including duct firing, that reflect the flexibility of the units (i.e., 1×0, 1×1, 2×1, 3×1). Each configuration will have its own parameters (i.e., start time, minimum run time and startup cost).

Under PJM’s current modeling, combined cycle operators must bid as either a combustion turbine or steam unit.

Dave Pratzon, who represents generators, said the change was necessary because combined cycle units have become more prevalent and are more often setting prices. “To my clients the status quo is not a reasonable alternative,” he said.

John Citrolo, of PSEG, also supported the change, saying the current model doesn’t properly compensate generators for combustion turbines starts and stops. “It models the units’ parameters more accurately, gives PJM [dispatchers] more flexibility and compensates owners more fairly,” he said.

The committee chose the composite model over an alternate “additive (pseudo)” option. The additive option would allow combustion turbines to be modeled as separate market units, with the steam turbine modeled as part of the combustion turbines. Pratzon said the additive model was “just a Band-Aid” and was inferior to the composite model.

The proposed change, which will be considered next by the Markets and Reliability Committee, will require software development by PJM’s vendor, Alstom, and changes by generators. The changes are not expected to be implemented before summer 2014.