Note from Tom: If you’re only looking for
today’s pandemic post, please go to my new blog. If you’re looking
for my cyber/NERC CIP post, you’ve come to the right place.
In my post
last Thursday, I concluded with this paragraph: “But that’s not the end of this
story. This just demonstrates that a good part (or even all) of the NERC CIP
regulatory program hangs on very tenuous legal grounds. If one or two entities
want to seriously challenge NERC on these grounds, the whole NERC CIP program
might be brought crashing down. This means that sooner or later, the NERC
community is going to realize that the standards need to be rewritten from the
bottom up, as I discussed in this webinar last year.”
Earlier in that post, I’d
pointed out that a NERC entity who gets a violation and has made no headway
getting NERC’s Enforcement group to change their mind on it, can always file a
suit in the administrative court system (since NERC standards are regulatory
law). I opined that, in a question like the status of “mitigation” in CIP-013 –
where the standard clearly assumes the NERC entity will mitigate risks that are
identified, but where the word “mitigate” was actually left out of the requirements
– an administrative law judge (ALJ) would probably rule in the entity’s favor,
without having to think too hard about it.
However, Kevin Perry, former
Chief CIP Auditor of SPP Regional Entity, emailed me over the weekend that he
very much disagrees with that position. He said:
In your scenario, you suggest that the entity will prevail before the
ALJ and their violation (and fine) will be thrown out. To that point, I very much disagree. I am very confident that no ALJ would
overturn this violation unless the Region totally bolloxed up their case in
front of the judge.
My point is the Region Enforcement staff are not likely to allow a
contested violation to get that far, if there is any chance the entity will
prevail. In my experience, Enforcement
has overturned violations found at audit -some Regions more than others. It is all part of the checks and balances
built into the CMEP process. It is very
unlikely a violation will ever get to a hearing (before an ALJ) unless the Region is confident
that its view of the compliance issue is correct and can be persuasively argued
in court. The Regions will often give
the benefit of the doubt to the entity if there is any chance that the entity
reasonably interpreted the expectations of a vaguely or incompletely worded
Requirement.
So Kevin’s point is that neither the Region nor NERC wants to have to
defend a less-than-solid case in front of an ALJ, mainly because of the huge
cost in time and money of doing so. This means that, if there’s any question about whether
they’ll win or not, they’re likely to drop the violation before it even gets
that far. But in a case where they’re quite sure their position is correct,
they’re not likely to lose in court – unless they totally botch their case.
I agree that Kevin’s right. However, I’m not backing away from the last
sentence of the post: “This means that sooner or later, the NERC
community is going to realize that the standards need to be rewritten from the
bottom up, as I discussed in this
webinar last year.” My case for saying the CIP standards need to be
rewritten doesn’t rest at all on legal grounds, and I shouldn’t have implied
that it does.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment
on what you have read here, I would love to hear from you. Please email me at
tom@tomalrich.com. Are you working on your CIP-013 plan and you would like some
help on it? Or would you like me to review what you’ve written so far and let
you know what could be improved? Just drop me an email!
No comments:
Post a Comment