On March 18, 2010, the Federal Energy Regulatory Commission (FERC or the Commission) approved, with modifications, certain Violation Severity Level (VSL) assignments for Critical Infrastructure Protection (CIP) reliability standards as proposed by the North American Electric Reliability Corporation (NERC). The Commission also provided additional guidance for determining appropriate VSLs in the context of requirements in the cyber security reliability standards.
The VSL is a measure of the degree (“Lower,” “Moderate,” “High” or “Severe”) to which a reliability standard requirement has been violated. NERC considers the VSL together with a "Violation Risk Factor," which represents the potential risk to reliability, to establish a base penalty range for a violation of the reliability standards.
The Commission previously approved VSLs for requirements and sub-requirements of 83 non-CIP reliability standards. In the Non-CIP VSL Order, the Commission provided four guidelines that it will apply when reviewing proposed VSL assignments:
- VSL assignments should not have the unintended consequence of lowering the current level of compliance.
- VSL assignments should ensure uniformity and consistency in the determination of penalties.
- A VSL assignment should be consistent with the corresponding requirement.
- A VSL assignment should be based on a single violation, not on a cumulative number of violations.
In a subsequent order, Order No. 706, the Commission approved eight CIP reliability standards proposed by NERC and directed NERC to file VSLs corresponding to the CIP standard requirements and sub-requirements before July 1, 2009. On June 30, 2009, NERC proposed 118 sets of VSLs corresponding to the CIP reliability standards.
FERC Review of the VSLs Proposed for CIP Standards
In the CIP-VSL Order, the Commission approved the proposed VSLs for the CIP standards, issued additional guidance for determining appropriate VSLs in the context of cyber security requirements and ordered NERC to revise 57 sets of VSLs within 60 days. The approved VSLs are effective immediately and will be used by NERC to determine penalties for violating the CIP reliability standards. In addition, the Commission provided two additional guidelines specific to cyber security VSL assignments.
- Requirements where a single lapse in protection can compromise computer network security, i.e., the “weakest link” characteristic, should apply binary VSLs.
In adopting this all-or-nothing, or binary, approach, the Commission explained that the control systems supporting bulk-power system reliability are "only as secure as their weakest links" and that a single lapse of computer protection can have systemic critical infrastructure consequences. Thus, while FERC generally prefers a gradated approach for VSLs, it concluded that a binary approach was appropriate for cyber security standards involving "weakest link" vulnerabilities.
- VSLs for cyber security requirements containing interdependent tasks of documentation and implementation should account for their interdependence.
FERC explained that often in the cyber environment, implementation of security measures depends on complex plans, policies and procedures that must be repeatable and verifiable. These interdependent tasks require documentation of both the procedures to be followed and verification that the procedures were followed as directed. If the responsible entity documented the control processes and mechanisms but did not implement them, or conversely if the entity attempted to implement controls but did not document the control processes and mechanisms, the desired security would be inadequate. Therefore, for certain reliability standards the interdependency between documentation and implementation should be recognized in the corresponding VSLs.
In addition to the new guidelines, FERC believed that some of the proposed VSLs needed revision as they were too permissive and could have the unintended consequence of lowering the current level of compliance. Finally, FERC had consistency and clarity concerns with specific VSLs and ordered revisions to remove ambiguities.
Implications for Registered Entities
The VSLs approved in the CIP-VSL Order are effective immediately, and NERC will begin using them as a factor in determining future penalties for violations of the cyber security CIP reliability standards. Because FERC's new guidelines require NERC to take an all-or-nothing approach when determining the VSL for cyber security requirements where a "weakest link" vulnerability is present, registered entities have an increased incentive to ensure strict compliance with the CIP standards. Similarly, registered entities should ensure that their compliance procedures that address requirements identifying both implementation and documentation include specific provisions covering those interdependent tasks.
The CIP-VSL Order also confirms the need for registered entities to have a robust compliance program that covers reliability compliance and includes written procedures that specifically address the requirements in the reliability standards.
 Mandatory Reliability Standards for Critical Infrastructure Protection, Order Addressing Violation Severity Level Assignments for Critical Infrastructure Protection Reliability Standards, 130 FERC ¶ 61,211 (2010) (CIP-VSL Order).
 North American Reliability Corp., 123 FERC ¶ 61,284 (2008) (Non-CIP VSL Order).
 Mandatory Reliability Standards for Critical Infrastructure Protection, Order No. 706, 122 FERC ¶ 61,040 at P 758, (2008), available at http://www.ferc.gov/whats-new/comm-meet/2008/011708/E-2.pdf.
 See Petition of the North American Electric Reliability Corporation for Approval of Violation Severity Levels to Critical Infrastructure Protection (CIP) Version 1 Reliability Standards CIP-002-1 through CIP-009-1, Docket No. RM06-22-000 (2009), available at http://www.nerc.com/files/FinalFiledCIP-VSLComplianceFiling.pdf.