Lawmakers mull new cyber powers for FERC

By Jared Serbu
Federal News Radio

House lawmakers are considering legislation that would give the Federal Energy Regulatory Commission (FERC) emergency powers to shore up the electric grid’s cyber defenses. It’s authority that utility companies say FERC doesn’t need, and may not be qualified to exercise.

The Grid Reliability and Infrastructure Defense (GRID) Act passed the full House last year, but stalled in the Senate. Now, its backers in the House are considering reintroducing the measure, which attempts to boost cyber protections in two areas: The nation’s interstate bulk power supply system, and parts of the electric grid that supply power to Defense Department facilities that are critical to national security.

Under the bill, FERC would have the authority, at the President’s direction, to “with or without notice, hearing, or report, issue such orders for emergency measures as are necessary in its judgment to protect the reliability of the bulk-power system or of defense critical electric infrastructure against such threat.”

Potential cyber attacks to civilian critical infrastructure are something DoD worries a lot about, said Paul Stockton, the Pentagon’s assistant secretary for homeland defense. He said the military depends on the private grid for 99 percent of its electric needs.

“In the modern way of warfare, our forces deployed abroad in Iraq and Afghanistan and elsewhere depend to an increasing extent on military facilities back here in the United States,” Stockton told the Energy and Commerce Committee’s Subcommittee on Energy and Power Tuesday. “If there’s a long interruption in the flow of commercial power to those facilities, we’d be facing a situation of potentially devastating effects on our conduct of Defense operations abroad, and we could face serious challenges at home.”

Stockton said the U.S. power grid is, on the whole, very resilient, but it’s not designed to withstand carefully-planned cyber or even conventional attacks.

Right now, to develop security standards, FERC works with the Northern American Electric Reliability Corporation (NERC), a nonprofit coordinating group created by grid operators to ensure a robust system. A joint report issued by the Center for Strategic and International Studies and the security firm McAfee in April found the industry was largely unprepared for a major cyber attack.

Joseph McClelland, director of FERC’s Office of Electric Reliability, said the agency’s existing authority under the Federal Power Act is good enough and fast enough for issuing rules and orders in most situations, but not in the case of a fast-moving cyber attack.

“These are threats that can endanger national security, and may be posed by criminal organizations, terrorist groups, foreign nations or others intent on attacking the United States through its electric grid,” he said. “Given the national security dimension of this threat, there may be a need to act quickly, to act in a manner where action is mandatory rather than voluntary, and to protect certain information from public disclosure. Faced with a cyber or other national security threat to reliability, there may be a need to act decisively in hours or days, rather than weeks, months or years. The commission’s legal authority is inadequate for such action.”

Private grid operators, however, are not enthusiastic about being subject to new, stronger regulatory authority. They argue there has not been a successful large scale cyber attack on the U.S. electric system, in part because of the security standardization process they already undergo under the auspices of NERC.

Barry Lawson, associate director for power delivery and reliability at the National Rural Electric Cooperative Association, said industry doesn’t need to be told to defend its infrastructure.

“Our industry has every incentive, ranging from financial considerations to the fundamental obligation to serve our customers with reliable and affordable power, to protect the grid when new vulnerabilities emerge,” he said. “The new authority the draft [bill] seeks to give FERC is very concerning to our industry. We question whether FERC has the intelligence handling expertise to exercise such broad new authority. To protect the grid from vulnerabilities, we need timely, actionable intelligence from government. More industry trusted experts need higher levels of security clearances so we can plan effective responses to threats and vulnerabilities.”

But Franklin Kramer, a cybersecurity expert and a former assistant defense secretary in the Clinton administration, said the current regulatory process is too slow to deal with cyber threats. He said FERC needs to have the ability to directly mandate reliability standards to keep up with emerging threats rather than signing off on what industry develops though the NERC process. He said the recent Stuxnet attack on energy sector control systems is a good argument for why.

“It’s a very, very, very severe threat that we have to think about, and the vulnerability exists throughout the electric system,” he said. “It’s sitting out there as a blueprint for anyone to use. That would be an example of a severe threat. It’s not imminent, but I think something needs to be done about that right now and I think it needs to be done promptly. As we do in other kinds of legislation, I would rather have the industry have the opportunity to comment but for the federal government, be it FERC or (the Department of Homeland Security), but some federal agency to determine what standards are necessary, what actions need to be taken promptly, and to cause those actions to be taken under a mandatory system.”

The Obama administration says it has no formal position on the GRID Act other than that any final language should work in concert with the White House’s recently announced comprehensive cybersecurity proposal. McClelland, of FERC, said the two proposals do not appear to conflict.

(Copyright 2011 by Federal News Radio. All Rights Reserved.)


Sign up for breaking news alerts