Bulk-Power System Security – Critical Infrastructure Protection Reliability Standards
On October 21, 2020, the AUC amended Rule 027: Specified Penalties for Contravention of Reliability Standards with the addition of clause 5.3.
The previous version of Rule 027 required the Market Surveillance Administrator (“MSA”) to publish every notice of specified penalty issued for contraventions of reliability standards, including those related to critical infrastructure protection (“CIP”). CIP reliability standards imposed certain physical and cybersecurity requirements on Alberta generating units. The rule also required the MSA to post whether penalties were paid or a notice of specified penalty was disputed and, in the latter case, to post a link to the resulting AUC decision relating to that dispute.
The Federal Energy Regulatory Commission (“FERC”) released its Joint Staff White Paper on Notices of Penalty Pertaining to Violations of Critical Infrastructure Protective Reliability Standards (“White Paper”). The FERC and North American Electric Reliability Corporation (“NERC”) jointly concluded, “there are substantial risks to the security of the Bulk-Power System resulting from the disclosure of CIP violator names and other information found in CIP noncompliance submissions.” Consequently, the FERC would be keeping confidential all information related to the investigation and enforcement of contraventions of critical infrastructure protective reliability standards and NERC would no longer publicly post redacted versions of CIP noncompliance filings and submittals.
The AUC reviewed the findings and decided to adopt the joint FERC and NERC position regarding confidentiality. Rule 027 was revised to exempt the MSA from making public any notices of specified penalties related to contraventions of critical infrastructure protective reliability standards, including any related documentation. The AUC added clause 5.3:
5 Posting of notice of specified penalty
5.3 Subsections 5.1 and 5.2 shall not apply to a notice of specified penalty issued for a contravention of a critical infrastructure protection (CIP) reliability standard. A notice of specified penalty issued for a contravention of a CIP reliability standard and all associated information, including nonpayment or a dispute of the specified penalty or a Commission decision respecting the disputed specified penalty, will not be public.