Regulators Cannot Move Fast Enough to Protect Grid, FERC Warns

In testimony before a congressional subcommittee, Joseph McClelland, director of the Federal Energy Regulatory Commission (FERC) Office of Electric Reliability, enumerated the ways in which the U.S. regulatory system is ill-equipped to deal with time-sensitive threats to physical and cyber assets of its power system.

In testimony before the House Committee on Homeland Security, Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology on Sept. 12, McClelland began by outlining his commission’s powers, and their limits: “FERC’s role with respect to reliability is to help protect and improve the reliability of the Nation’s bulk power system through effective regulatory oversight as established in the Energy Policy Act of 2005.”
 
FERC, he said, is looking at what it can do under its existing authority to address threats to the U.S. grid in a more timely manner. However, in many ways, its hands are tied, and “limitations in Federal authority” may not fully protect the grid against various security threats.

The Federal Power Act (FPA) requires FERC to select an electric reliability organization (ERO), which it has designated as the North American Electric Reliability Corp. (NERC), “that is responsible for proposing, for Commission review and approval, reliability standards or modifications to existing reliability standards to help protect and improve the reliability of the Nation’s bulk power system.”

FERC can’t create or modify proposed standards on its own. The FPA requires it to remand such proposals to NERC “for further consideration.” It is additionally limited to oversight of the “bulk power system,” which excludes Alaska, Hawaii, and some mainland transmission, including “virtually all of the grid facilities in certain large cities such as New York, thus precluding Commission action to mitigate cyber or other national security threats to reliability that involve such facilities and major population areas.” The definition also excludes all distribution infrastructure, including facilities connected to defense infrastructure (one of many reasons that the U.S. military has been at the forefront of developing smart microgrids and onsite renewable energy).

“NERC has recently filed a revised definition of the term bulk power system, and the Commission has solicited comments on its proposal to accept NERC’s revised definition,” McClelland said. “However, it is important to note that section 215 of the FPA excludes local distribution facilities from the Commission’s reliability jurisdiction, so any revised bulk electric system definition developed by NERC will still not apply to local distribution facilities, including those connected to defense infrastructure.”

Other impediments include the openness of the standards-creation process when national security is a factor and the fact that “the NERC process typically requires years to develop standards for the Commission’s review.” Though the opportunity for stakeholder involvement and consensus-building are admirable, that process, McClelland noted, is appropriate for “routine reliability standards” but not “when measures or actions need to be taken to address threats to national security quickly, effectively and in a manner that protects against the disclosure of security-sensitive information.”

FERC can order NERC to expedite proposals for reliability standards, but there’s no guarantee NERC could comply. “Moreover, faced with a national security threat to reliability, there may be a need to act decisively in hours or days, rather than weeks, months or years,” McClelland said.

Furthermore, “existing reliability standards do not extend to physical threats to the grid, but physical threats can cause equal or greater destruction than cyber attacks.” One type of a physical threat is an electromagnetic pulse event, which can be a result of natural occurrences or man-made causes, such as weapons.

Whether or when Washington takes effective action on cybersecurity, especially as it affects the power grid, is an open question. As law firm Patton Boggs LLP noted in a post the day before McClelland’s testimony, during the August recess, “A group of nine Republican Senators released a statement blaming the failure of cybersecurity legislation on Senate Democrats, while several Democratic members of Congress and the former White House Cybersecurity Coordinator Howard Schmidt made statements calling for the President to take executive action on cybersecurity given the Congress’ failure to act. Chairman of the Federal Energy Regulatory Commission Jon Wellinghoff also recently called on Congress to move forward on cybersecurity issues along with the need for enhanced authorities to protect critical infrastructure based on concerns over cybersecurity threats to the electric grid. Wellinghoff noted that there needs to be … more effective ways to communicate with utilities and to have enforcement authority to protect electric and natural gas infrastructure against cyber threats and vulnerabilities.”

Sources: POWERnews, FERC, Patton Boggs LLP

—Gail Reitenbach, PhD, Managing Editor (@POWERmagazine)