Regulators want more authority to protect nation’s power grid
Connecting state and local government leaders
Regulators say they now have inadequate authority to ensure the cybersecurity of the nation’s power grid, but they support House bills that would change that situation.
Regulators overseeing the nation’s power generation and distribution system say this critical infrastructure is at risk because they do not have the power to quickly respond to threats and vulnerabilities to the system.
Representatives from the Federal Energy Regulatory Commission, the North American Electric Reliability Corp. and the Energy Department told a House panel Tuesday that legislation now pending in the House could help correct current problems.
“The [Federal Energy Regulatory Commission’s] current authority is not adequate to address cyber or other national security threats to the reliability of our transmission and power system,” Joseph McClelland, director of FERC’s Office of Electric Reliability, told the Energy and Commerce subcommittee on Energy and the Environment. “These types of threats pose an increasing risk to our nation’s electric grid, which undergirds our government and economy and helps ensure the health and welfare of our citizens. Congress should address this risk now.”
Two bills, HR 2165, the Bulk Power System Protection Act of 2009, and HR 2195, an amednment to the Federal Power Act, have been introduced in the House to revamp security regulation of the nation’s power grid. The bulk power system is defined by law as generation and high voltage transmission systems, and does not include distribution substations and lower voltage networks that distribute electricity to customers. Alaska, Hawaii, and Guam are specifically excluded from reliability regulations, as are many major cities and population centers such as New York and Washington, D.C.
“Both H.R. 2165 and H.R. 2195 address the principal gap that NERC sees in the current law,” said NERC vice president and general counsel David Cook. That gap is that “the federal government lacks sufficient authority to act to address an imminent and specific cyber security threat to the critical infrastructure of the United States.”
FERC oversees the nation’s bulk power system under the Energy Policy Act of 2005, and has certified NERC as the electric reliability organization representing the industry. FERC enforces standards but does not create them; NERC creates standards but does not enforce. NERC, as the designated ERO, has responsibility for proposing security standards and requirements for the bulk power system, which FERC can either accept, reject or suggest revisions to.
The process is time-consuming and does not respond to rapidly emerging and evolving cyber threats. NERC proposed a set of 40 Critical Infrastructure Protection Standards in 2006, which FERC adopted in 2008, to become mandatory in 2010. But those standards still are being finalized, and requirements for compliance are being phased in gradually.
One of the weaknesses in the CIP standards is that they apply only to critical infrastructure, as identified by the 1,800 entities that own and or operate the Bulk Power System. So far, many organizations have not identified these.
“At this point, however, it is clear that all critical assets and associated critical cyber assets have not been identified and therefore made subject to the protection requirements of the CIP standards,” McClelland said. “This represents a significant gap in cyber security protection.”
Another problem is that the Bulk Power System covered under existing regulation does not include the entire power grid. It excludes Alaska and Hawaii, as well as some transmission and all local distribution facilities, including virtually all of the grid facilities in certain large cities such as New York. This precludes commission action to mitigate cyber or other national security threats to these facilities, McClelland said.
Security issues are becoming more urgent with the development of a smart grid, a next-generation intelligent power system that will include two-way flows both of energy and data. The Recovery Act provided $4.5 billion to jumpstart research and development of smart grid technology, and some elements of it such as smart metering already are being implemented.
The National Institute of Standards and Technology is developing security standards for this new infrastructure, and this summer issued Release 1.0 of the “NIST Framework and Roadmap for Smart Grid Interoperability Standards” as well as Draft NISTIR 7628, “Smart Grid Cyber Security Strategy and Requirements.”
“The need for vigilance will increase as new technologies are added to the bulk power system,” McClelland said. “Given the national security dimension to this threat, there may be a need to act quickly to protect the grid, to act in a manner where action is mandatory rather than voluntary, and to protect certain information from public disclosure.”
But current regulations lack clear and rapid enforcement authority.
“NERC believes that the U.S. government needs additional emergency authority to address specific, imminent cyber security threats,” Cook said. “With immediate emergency authority in the hands of government, NERC would be better positioned to develop and implement longer-term cyber security and critical infrastructure protection Reliability Standards.”
Under the bills introduced, FERC would be authorized to issue an Emergency Security Directive to owners and operators of the Bulk Power System, covering a specific period of time, if the secretary of Energy has determined that a power grid emergency exists. The emergency would have to be addressed within 60 days.
HR 2165 covers the bulk power system only. HR 2195 is broader and covers all “critical electric infrastructure,” defined in the legislation as generation, transmission, distribution, and metering infrastructure.