M.       System Security

1.         System security is critical to the reliable operation of the interstate transmission grid.  Wholesale electric grid operations are highly interdependent, and a failure of one part of the generation, transmission, or grid management system can compromise the reliable operation of a major portion of the regional grid.  The wholesale electric market relies on the continuing reliable operation of not only physical grid resources, but also the operational infrastructure of monitoring, dispatch and market software and systems.  Because of this mutual vulnerability and interdependence, it is necessary to safeguard the electric grid and market resources and systems by establishing minimum standards for public utilities that own, control or operate facilities used for transmitting electric energy in interstate commerce as well as entities that use these facilities.

2.       NERC's Critical Infrastructure Protection Advisory Group has recently developed a set of recommended minimum requirements (standards) for securing information assets that support grid reliability and market operations and the physical environments in which these information assets operate.  These standards are designed to ensure that the entity has a basic security program protecting the electric grid and market from the impact of acts, either accidental or malicious, that could cause wide-ranging harmful impacts on grid operations.  These standards would be administered through an annual self-certification due January 31, 2004, and every January 31 thereafter.  The proposed form for the self-certification is attached as Appendix G.

3.      We propose to require that all public utilities that have tariffs on file with the Commission must file the self-certification by January 31, 2004, and every January 31 thereafter.  Additionally, on and after February 1, 2004, as a condition of receiving transmission service provided by a public utility that owns, controls or operates transmission facilities, a customer must demonstrate that it has a basic security program in place.  The customer can satisfy this requirement by supplying the public utility with a copy of the executed self-certification form.  In the case of entities seeking transmission service that are not public utilities subject to the Commission's regulations, the entity would still be required to demonstrate that it has a basic security program in place to receive transmission services.  This could be done by supplying the transmission provider with an executed self-certification using the Commission's form.  Alternatively, the transmission provider and the customer could develop an alternative arrangement for ensuring that the customer has a basic security program in place.

4.      Finally, when the SMD Tariff is implemented, we propose to extend the requirement to cover the additional services being provided by the Independent Transmission Provider.  At that time, any customer seeking to buy or sell through the markets operated by the Independent Transmission Provider or take transmission service under the Network Access Service would be required to demonstrate that it has a basic security program in place.           

  We expect that these standards will be revised and refined over time in light of changes in technology and operational experience with the standards.  Therefore, the regulations will also identify the specific version number of the system security standards.  When NERC revises the standards, the revisions will be filed with the Commission.  The Commission will issue a Notice that it is considering revising the updated system security standards, and we will seek comments on the proposed changes.  The process the Commission proposes to use is the same as it has used for standards adopted by the Gas Industry Standards Board for interstate pipelines.²⁴7