Single Regulator Said Needed for Grid Cybersecurity Emergency Authority

The committee’s draft bill follows grid cybersecurity measures from the House and Senate Homeland Security committees -- companion bills -- plus a House Commerce measure that House Homeland has criticized for under-breadth (WID May 6 p6). There are also comprehensive cybersecurity bills with White House “czar” authority from Senate Commerce and the Senate Federal Financial Management Subcommittee, the latter as part of an update to the Federal Information Security Management Act. Senate Energy’s draft is by far the shortest at five pages.

The Federal Energy Regulatory Commission would get authority to issue rules without prior notice under the Senate Energy draft bill, if it determines that “critical electric infrastructure” is “immediately” at risk from a cybersecurity “vulnerability.” That’s defined as “a weakness or flaw in the design or operation of any programmable electronic device or communication network that exposes” infrastructure to a cyber threat. The Department of Energy would be empowered to compel FERC-regulated entities, without prior notice, to take immediate action against “threats.” That’s defined as “the imminent danger of an act that disrupts, attempts to disrupt, or poses a significant risk of disrupting” components of the grid. Orders would expire in 90 days unless DoE opens a public proceeding.

FERC has inadequate legal authority to quickly address cyberthreats that may come to a head in “hours or days,” said Joseph McClelland, director of the Office of Electric Reliability. The standards-setting process for the North American Electric Reliability Council (NERC), the FERC- designated “electric reliability organization,” typically takes years and isn’t always “responsive” to FERC, he said. The draft bill would “largely rectify” FERC’s dearth of authority but as written it may only apply to “bulk power systems” as defined in section 215 of the Federal Power Act - - which excludes Hawaii, Alaska and “possibly” territories, including those with military installations, McClelland said. Metropolitan areas would appear to be excluded from FERC authority as well, he added. (The House Homeland Security Committee cited the same perceived regulatory deficiencies in the competing House Commerce bill.)

Better to give NERC new authority to guard against cyberattacks, said President Rick Sergel: “Reliability standards are not enough.” NERC has the expertise to evaluate “unique component configurations” when devising standards for diverse owners and operators, he said: FERC authority over standards would be “unwise” and would “supplant” section 215. The draft bill may set up “competing authorities,” Sergel said. Allen Mosher, American Public Power Association senior director of policy analysis and reliability, said both FERC and NERC need expanded authority but agreed the bill’s emergency provisions could set up “inconsistent” authority.

The draft bill should lay out “clearly defined roles and responsibilities,” said David Owens, executive vice president of business operations for the Edison Electric Institute. The government must carefully consult with utilities to avoid “unintended consequences,” as certain measures to prevent one type of cyberattack could create a bigger threat to the grid. Legislation should focus narrowly on a “potential set of threats,” since cyberthreats usually don’t implicate national security, Owens said. Congress should hold manufacturers of networked equipment to a high security standard as the smart grid goes online, he said, recommending a “Good Housekeeping"-style independent evaluation program.

DoE is reserving comment on the draft bill, said Patricia Hoffman, acting deputy assistant secretary in the Office of Energy. Whatever action the government takes on grid threats should be based on “sound risk management principles” and consider circumstances such as a vulnerability’s characteristics and the cost of mitigation, she said. Hoffman refused several pleas from Corker to weigh in on who should have sole emergency authority, FERC or DoE. Report back on the Secretary’s view quickly, Corker told Hoffman, because an amended bill will likely be voted out of committee next week. “Most of us would probably be uncomfortable with both” DoE and FERC having emergency authority, given what witnesses have said, he added.

FERC should have sole authority but “DoE is very well situated” to lead on R&D and communicating with grid owners, Mosher told Committee Chairman Jeff Bingaman, D-N.M. “As long as there’s a single agency with clear, defined authority … I believe FERC already has that responsibility” under section 215, Owens said. “The commission staff didn’t necessarily see a conflict and an overlap” in authority between FERC and DoE in the draft bill, because of its distinction between vulnerabilities and threats, McClelland said. Consider FERC’s current role, he said: It issued 9,000 orders last year, mostly to electric utilities, concluded 22 enforcement cases, and staff generally have top- secret clearances to work with intelligence agencies. Hoffman said a better distinction in the bill would be between time-sensitive “emergencies” and “vulnerabilities” that aren’t.

Define Yourself Out of Regulation?

Lawmakers became puzzled as regulators described the limits of FERC authority and what it could mean for protecting certain parts of the U.S. from cyberattack. Beyond the “bulk power system” excluding the non-continental U.S., there’s some leeway in the Federal Power Act for regions to determine what counts as “bulk power,” McClelland said. One region in the Northeast including New York City largely excludes facilities under 230,000 volts, and “it could take years to sort through” the claim at FERC, he said. But McClelland cautioned Bingaman that he wasn’t asking for a revision of section 215. What would be helpful, though, is for the committee to give FERC explicit authority outside section 215 for military power systems, he said.

The exact status of New York City under FERC was disputed. Owens said McClelland was referring to local power distributors who haven’t presented a problem in any emergency situations, notably the Sept. 11 attacks. Distribution facilities are explicitly exempt from section 215 regulation, though Mosher earlier warned the bill could be “potentially over-inclusive” by regulating distributors. Nonetheless, as a 138,000-volt network, downtown New York City wouldn’t be covered by the draft bill, McClelland said. But NERC is in charge of defining what constitutes a bulk-power system, a good move by Congress, Sergel said. And the region isn’t “per se excluded” under the bill’s definition. Ranking Member Lisa Murkowski, R-Alaska, sighed that the issue didn’t appear to be any clearer.

Corker asked whether the bill should redefine the bulk power system to include New York City, or leave the term “in the abstract.” There aren’t yet “precise lines” between distribution and the bulk-power system, and there’s “certainly a list [of regions] where it’s difficult, New York being the best example,” Sergel said. Congress could create a “215-plus” authority to cover all systems that are a gray area. The committee should “think seriously about starting in the other direction,” by deciding the highest-priority systems to protect in a cyber-emergency, such as military bases, and write provisions just for them, Mosher said.

Whatever else is changed, distributors should remain exempt from regulation in the draft bill, whose “vulnerability” section currently would scoop them in, Sergel said. “I could see [such authority] cratering just in the number of entities” that NERC would have to contact in the event of a cyberattack, said Mosher -- 1,650 municipal systems aren’t on the NERC compliance registry. His association is working on ways to communicate threat information with those systems, but Mosher said it’s difficult because they usually don’t have security clearances. The more contentious issue may be whether to create a regulatory structure for leveling sanctions on entities that don’t comply with orders from Washington, he said.

Corker said he'd like to pass off the bill to the witnesses. “Look, we're senators. Let’s face it, we do not fully understand as each of you do … exactly how this language affects you on a daily basis.” He asked them to “make it work and give us the input back, even if it’s six pages.”