EnergyBiz Magazine...July/August 2011
The Obama administration's economy-wide cyber security plan presented by the White House in May makes it much more likely that the holes in existing electric utility cyber defense plans will be plugged sooner rather than later.
Legislation passed in 2005 gave the Federal Energy Regulatory Commission (FERC) the responsibility for overseeing cyber security defenses for transmission and generation companies, the only companies for whom there is a national legislative mandate. But recent federal reports have underlined the swiss cheese nature of the standards published by the North American Electric Reliability Corporation (NERC), who FERC designated to produce standards aimed at guarding against computer virus attacks on critical assets.
The Obama legislative initiative would extend the federal mandatory cyber attack umbrella to the steel, chemical and other industries. Sens. Jeff Bingaman (D-N.M.) and Lisa Murkowski (R-Alaska), chairman and ranking member of the Senate Energy and Natural Resources Committee, held hearings on May 5 on a draft bill which would strengthen the original 2005 electric utility provisions; that bill, some of whose provisions are opposed by the industry, would become amendments to a broader bill, based on the Obama initiative, expected to be shepherded through the Senate by Sen. Jay Rockefeller (D-W. Va.), chairman of the Commerce Committee.
The 2005 Energy Policy Act gave FERC authority to designate a private sector group to establish standards for the "bulk power system," which excludes local distribution companies and transmission facilities in Hawaii and Alaska. The FERC designated the NERC as that standards setter. FERC has the authority to review NERC standards, and ask for revisions.
But since August 2006, when NERC submitted its first eight proposed cyber security standards, FERC has repeated directed NERC to fill gaping holes in those standards, which have also been the subject of criticism from the Inspector General at the Department of Energy and the Government Accountability Office (GAO). Joseph McClelland, director, office of electric reliability at FERC, told the Senate Energy Committee on May 5 that the majority of FERC modifications have not been incorporated into the NERC standards. "Until they are addressed, there are significant gaps in protection such as a needed requirement for a defense in depth posture," McClelland stated.
In a January 2011 report, the DOE IG implied that FERC was to blame for not pressing NERC harder and faster. "Although the Commission had taken steps to ensure cyber security standards were developed and approved, our testing revealed that such standards did not always include controls commonly recommended for protecting critical information systems," the report stated. "In addition, the standards implementation approach and schedule approved by the Commission were not adequate to ensure that systems-related risks to the nation's power grid were mitigated or addressed in a timely manner."
The Bingaman/Murkowski draft bill would allow FERC to issue an interim final rule establishing electric reliability standards if it felt NERC had failed to do so, and FERC could do that without the prior notice and public comment period that traditionally accompany federal rulemaking, and issue that IFR with less than 30 days notice. In the event of an emergency cyber threat, the secretary of the department of energy could issue an emergency order forcing the power industry to take certain steps to protect critical electric infrastructure. The order would be effective for 90 days initially and could be extended if public hearings were held. Companies could recover reasonable costs from complying with that emergency order from rate payers.
David K. Owens, executive vice president, business operations, Edison Electric Institute, says any new authority given to FERC or the DOE should be limited to truly critical assets. "Over-inclusion of electric utility infrastructure would be counterproductive," he explained at the hearings.. Critics of NERC's standards say they only cover a limited number of generation and transmission assets. The DOE IG report said: "Even though critical assets could include such things as control centers, transmission substations, and generation resources, the former NERC Chief Security Officer noted in April 2009, that only 29 percent of generation owners and operators, and less than 63 percent of transmission owners identified at least one critical asset on a self-certification compliance survey."
Owens adds that any new DOE emergency authority "should be limited to true emergency
situations involving imminent cyber security threats where there is a significant declared national
security or public welfare concern." The draft legislation is much broader; it doesn't mention that there needs to be an "imminent threat," for example. On the FERC interim final rule authority, he notes, "we are concerned about the lack of due process for stakeholder input.