Utility industry representatives opposed legislation at a House subcommittee hearing last week that could authorize the Federal Energy Regulatory Commission (FERC) to enforce cyber security standards on all plants connected to the bulk power system.

The House Subcommittee on Energy and the Environment hearing examined bills introduced this year to address the protection of the grid from cyber and other malicious attacks. The webcast hearing was titled "Protecting the Electric Grid:  H.R. 2165, the Bulk Power System Protection Act of 2009, and H.R. 2195, a bill to amend the Federal Power Act to provide additional authorities to adequately protect the critical electric infrastructure against cyber attack.”

The Federal Power Act allows FERC to enforce security standards for power plants—with the exception of electrical systems outside the continental U.S. and local distribution facilities. But these systems are connected to the bulk power system through computer networks. If federal authority is not extended industrywide, it could open the system to cyber attacks through an individual power plant, said Committee Chair Rep. Edward Markey, D-Mass., during the hearing.
“We have to close that regulatory black hole” between the federal authority and [North American Electric Reliability Corp. (NERC)] jurisdiction, Markey said. NERC is a quasi-public agency that develops security standards for individual plants, including local distribution facilities.

Joseph McClelland, director of FERC’s Office of Electric Reliability, testified that the agency’s legal authority, as it stood, was inadequate to protect the bulk power system against both cyber and physical threats. “Further, although section 202(c) of the FPA provides the Department of Energy certain emergency authority, in my view that authority is not adequate to cover the types of actions that might need to be ordered to protect the electric grid,” he said.

But as Gary Brown, chair of the New York State Public Service Commission (NYPSC) as well as of the Electricity Committee of the National Association of Regulatory Utility Commissioners (NARUC), argued, “legislation must distinguish between imminent threats, which require immediate action, and vulnerabilities, which can be resolved more deliberately.”

Brown said that the scope of legislation should be limited to cyber security on the bulk power system and in emergency situations. If the federal government had actionable intelligence about an imminent threat to the bulk power system, state commissions would be willing and able to help deal with the emergency situations on the distribution systems. “In these limited circumstances, when time does not allow for classified industry briefings and development of mitigation measures for a threat or vulnerability, FERC in the United States and the appropriate corresponding authorities in Canada should be the government agencies that direct the electric power industry on the needed emergency actions,” he said. “These actions should only remain in effect until the threat subsides or upon FERC approval of related NERC reliability standards.”

Another concern to consider was cost, Brown said. “The issue of how much more money should be put into this effort when it is virtually impossible to stop some cyber attacks (e.g., hackers getting into the Pentagon’s computer system) needs to be addressed.”

Regulated companies were already taking steps, through NERC’s cyber security (“CIP”) standards, to manage risk, he added. But, “The question of how far that standard extends (i.e., to what extent it would reach down into the distribution system) is not yet clear,” he said. “Over the past two years, electric utilities across the country have requested significant additional staffing and dollars for CIP standard compliance activities in their transmission rate case filings at FERC. However, extending the applicability of those standards to lower voltage facilities raises the question of how much more we are willing to pay for a marginal increase in cyber security.”

It was more important that FERC improve the way it communicated information in regards to a cyber threat, Brown said. “In nearly all situations, the electric power industry can protect the reliability and security of the bulk power system without government intelligence information. However, in the limited circumstances when the industry does need government intelligence information on a particular threat or vulnerability, it is critical that such information is timely and actionable.”

John DiStasio, general manager and CEO of the Sacramento Municipal Utility District, told the committee, meanwhile, that “the diversity of our systems leads us to not necessarily have a one-size-fits-all way to control [vulnerabilities]."

NERC’s vice president, David Cook, implied that the bills should be reviewed separately. One of the bills, H.R. 2165, would allow FERC to set standards for how electrical utilities respond to an attack, regulations acceptable to the industry. But H.R. 2195 would allow FERC to set standards for how utilities should address cybersecurity vulnerabilities and authorize FERC to “adopt rules or orders without notice or hearing.” That was unacceptable to the industry.

Sources: House Subcommittee on Energy and the Environment