DOE and FERC Mull Incentivizing Cybersecurity, Physical Security of Power and Gas Infrastructure

The U.S. Department of Energy (DOE) and Federal Energy Regulatory Commission (FERC) want to explore how federal and state authorities could incentivize cybersecurity and physical security in the power and natural gas sectors.

The agencies issued a notice on Feb. 4 announcing they would jointly hold a technical conference on Thursday, March 28, 2019, from 10 a.m. to 4 p.m. In materials related to the announced conference in FERC Docket No. AD19-12-000, FERC said the conference will address two “high-level” topics.

The first will include a discussion of types of current and emerging cyber and physical security threats that assail energy infrastructure. “Specifically, the conference will explore factors that the private sector considers when evaluating energy infrastructure security threats and vulnerabilities, as well as the availability of resources and challenges associated with evaluating these issues. In addition, the conference will discuss cyber and physical security best practices and mitigation strategies,” FERC noted.

The second topic, it said, will center on how federal and state authorities “can facilitate investments” to improve the cyber and physical security of energy infrastructure. “The conference will concentrate on federal and state authorities’ current cost recovery policies,” it said. “In addition, this panel will also look at how security investments are presently incentivized and what type of incentives would be most effective to facilitate security investment (e.g., accelerated depreciation, adders to return on equity, etc.).”

Further details are expected in a supplemental notice. The conference is expected to be open and free to the public, and it will likely be webcast. Attendees can preregister at:  https://www.ferc.gov/whats-new/registration/03-28-19-form.asp.

In a Feb. 4 press release, FERC Chairman Neil Chatterjee said the agencies were reacting to identified threats against U.S. energy infrastructure, particularly the electric and natural gas sectors. Those threats “continue to grow and the responsibility for protecting our energy infrastructure is shared across industry as well as states and the federal government,” he noted. “In light of this shared responsibility, we will join with DOE to explore current threats against energy infrastructure, best practices for mitigation, current incentives for investing in physical and cyber security protections, and current cost recovery practices at both the state and federal level.”

Latest of Substantial New Federal Measures for Heightened Grid Security

The technical conference is the federal government’s most recent attempt to ensure coordination with the private sector on growing security issues affecting critical energy infrastructure, and especially the electric grid.

The government has repeatedly warned that the bulk power system faces new and evolving cybersecurity threats, including from from direct attacks aimed at electric grid or other critical infrastructure that could impact the operations or security of the grid. Experts generally agree that the greatest cyber threats to the grid have been intrusions focused on manipulating industrial control systems (ICS). Recent concerns have extended to Industrial Internet of Things (IIoT) devices connected to networks.

For the U.S. government, a key concern is that the power sector does not have the intelligence-gathering capabilities to deal with the many cyber and physical threats to the grid. Currently, the government analyzes all-source intelligence to understand threats, and then shares that information with industry. But both public and private stakeholders lament that information could be shared on a more timely basis. Legislation was introduced during the 115th Congress—but made little progress—to promote increased public-private coordination. Some bills, for example allowed the DOE to provide technical assistance—such as establishing a voluntary DOE cybersecurity product testing program, or to require the agency to provide training—to utilities, vendors, and other power sector stakeholders.

For now, FERC oversees the reliability of the bulk power system under authority granted to it by Congress under the Energy Policy Act of 2005. FERC has so far served the pivotal role of approving or remanding back reliability standards proposed by North American Electric Reliability Corp. (NERC), which serves as the current electric reliability organization.

NERC, however, has sought to increase monitoring of the bulk power system. For example, it proposed in its 2019 budget that 24-7 onsite capabilities of its Electricity Information Sharing and Analysis Center (E-ISAC) could provide members with actionable intelligence about threats that occur overnight or during weekend hours. FERC, too, is seeking increased reporting of cyber incidents, and it has directed NERC to expand CIP-008, a standard that will require industry to report any attempts to compromise security perimeters—not just compromises as is currently required.

In May 2017, President Trump issued an executive order (E.O 13800), which called for an assessment of a prolonged electric power outage resulting from a cyberattack, and an evaluation of the “readiness and gaps in the United States’ ability to manage and mitigate consequences of a cyber incident against the electric subsector.” The cyber supply chain and public-private cybersecurity information sharing were listed among a number of major cybersecurity potential vulnerabilities.

And in February 2018, the DOE moved to establish the new Office of Cybersecurity, Energy Security, and Emergency Response (CESER) to “bolster DOE’s efforts in cybersecurity and energy security. The agency says the Fixing America’s Surface Transportation (FAST) Act gives the office the authority to order electric utilities and NERC to implement emergency actions.

The Simmering Fight About Critical Infrastructure Information

The DOE has for years collected information on electric incidents and emergencies through Form OE-417 to “fulfill its overall national security and other energy emergency management responsibilities, as well as for analytical purposes.” (The form was updated in May 2018 to accommodate NERC’s event reporting standard, EOP-004.)  But this October, as the lead sector-specific agency for the energy sector, the DOE also issued a notice of proposed rulemaking (NOPR) introducing administrative procedures to implement its authority to designate certain information provided by grid asset owners as “critical electric infrastructure information” (CEII).

The DOE defines CEII as “non-classified national security information about a system or asset of the bulk-power system, whether physical or virtual, that if destroyed or incapacitated, would negatively affect the national security, economic security, public health or safety, or any combination of such effects.” A CEII “designation” is essentially designed to encourage the private sector to share information about physical and virtual assets of the bulk-power system by exempting the submitted information from public release under the Freedom of Information Act.

Public comment for the proposed rule closed on Dec. 28. The rule received only six comments.

One was from S&P Global Market Intelligence, which claimed the rule would prohibit the public from accessing OE-417, the DOE’s form that collects data on grid disturbances. Another was from the Transmission Access Policy Study Group (TAPS), which is an association of transmission-dependent utilities in more than 35 states that work to promote open and non-discriminatory transmission access. The group said its members “have a strong interest in limiting the dissemination of CEII, whether about their own facilities or others’, beyond those with a need for the information.”

Environmental group Earthjustice, the Union of Concerned Scientists, and citizen group Public Citizen, meanwhile, jointly told the DOE that the agency has no authority to establish criteria and procedures for CEII. More significantly, the groups claimed that the proposed rule would, in essence, “allow virtually any information submitted to be barred from public access for an indefinite amount of time, amounting to a breathtaking and inappropriate broadening of the Department’s authority under Section 215A of the [Federal Power Act] and significantly hampering parties’ ability to meaningfully participate in DOE proceedings.”

Only one utility, Southern California Edison (SCE), commented. “By issuing this NOPR, which sets a tone of security and public/private sector collaboration, DOE is demonstrating its intent to work with the private sector to protect the grid,” it said.

—Sonal Patel is a POWER associate editor (@sonalcpatel, @POWERmagazine)