Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
The Federal Energy Regulatory Commission recently concluded audits of cybersecurity practices of electrical grid operators. It found they mostly comply with legally required cyber measures. But that doesn’t mean the grid is free of cyber-related danger. Scott Johnson, energy regulatory lawyer and senior counsel at Akin Gump, joined the Federal Drive with Tom Temin to provide an analysis of this exercise.
Scott Johnson: Hey, Tom, thanks for inviting me. I’m really happy to be here.
Tom Temin: And this FERC report seems to be of two minds. One that yeah, you’re doing everything, you grid operators that we regulate. You’re doing everything you should in cyber, but there are lots of vulnerabilities that could really bite the grid. What should we take away from all of this?
Scott Johnson: Well, that’s true, Tom. FERC staff noted in its report that its audit reports were generally good, but that there were some potential infractions. These seem in the report more like weaknesses than abject failures of grid entities to be performing in the way that they’re supposed to perform under the critical infrastructure protection standards. But it’s really important to realize that there can be penalties for these kinds of weaknesses, which depend on the severity of violation. So there are a handful of sort of major themes, including that one that I can tell you about from the report. One thing it’s also important to say at the outset is that it’s difficult to know the sample size that we’re talking about here. The report just says that it covers several registered entities that are subjected to these reliability standards. But it’s hard to say what sort of a slice of the industry we’re talking about. But in the 14 lessons learned that first staff covered there definitely are some recurring themes. The first major one is that entities really need to enhance their existing policies and procedures on a variety of subjects covered by these reliability standards, including evaluating and categorizing cyber assets that are covered; including samples of off site data that’s stored in different locations in representative datasets for recovery testing for when they might need to recover their systems; properly documenting the rules for low, medium and high impact cyber assets; and making sure that software security upgrades are being performed as required versus simple patches; and making sure that all of their devices are running the most current versions of software to make sure that there aren’t vulnerabilities there.
Tom Temin: I would say that then FERC has similar worries about the electrical grid that, say, TSA does over pipelines,
Scott Johnson: It does. The ways that the systems work is somewhat different. But the overarching concern is reliability. FERC and the North American Electric Reliability Corporation want to make sure that the lights stay on and that people in businesses have the power flowing that they need for their lives and operations. It’s really important to keep people safe.
Tom Temin: All right, then you said there were a couple of other themes that emerged with respect to cyber of the grid, and what else did you see in that report?
Scott Johnson: So there are a number of references, just a sort of formal documentation and the level to which that’s essential to success at overall risk management programs. In this way, you know, we’re talking about consistency of application of rules, efficiency of making the updates and changes that are required to keep systems safe, improving the process of going through these things and making sure that resources are being allocated efficiently. And also training. You know, if you don’t have these things written down, it’s very difficult to share them with new personnel as they come on board or with other people as they change roles. So the formalization of documentation is pretty critical. Another major theme is just limiting access to sensitive data to need to know personnel. Entities really need to have documented processes so that they consistently apply these system access control rules to people across their organizations, and keep tabs on where information is stored and accessible — who it’s accessible to and what their justification is for having access to that information.
Tom Temin: Yeah, it sounds like some basic cybersecurity hygiene practices that could apply anywhere. We’re speaking to Scott Johnson, senior counsel at Akin Gump, who specializes in energy regulatory issues. And the regime for overseeing cybersecurity in the electrical sector, is that primarily energy? That is to say, it’s one of those sectors that’s not directly tied to Homeland Security, correct?
Scott Johnson: It is sort of energy specific. These reliability standards were developed by NERC as the electric reliability organization for the United States, which is approved by FERC. FERC does that under its authority in Section 215 of the Federal Power Act, and NERC can enforce these reliability standards subject to FERC oversight, or FERC can do it on its own. So this is sort of a specific subset of rules and enforcement mechanisms in this particular area of the bulk electric system.
Tom Temin: Yeah, that was my question. How much say does FERC have over these bulk suppliers? We should point out the FERC oversight is limited to a very specific group of types of grid operators. Not every local utility comes under FERC, correct?
Scott Johnson: That’s true. So the standards when NERC proposes them are evaluated and in most cases approved by FERC. Sometimes FERC requires changes, there can be a little bit of back and forth, including comments by regulated entities about what they would like to see in the reliability standards. And when we’re talking about the bulk electric system, you’re right that we’re generally talking about the high voltage transmission system that criss crosses the country, in addition to some generators that connected to the grid at high voltage. We’re generally not talking about the lower voltage distribution lines of the type that connect to homes and businesses.
Tom Temin: And from the sense of this, does this look like FERC is really checking to see if the grid, as it has overview of, is safe from cyber threats? Or was this really a exercise in seeing if the compliance mechanisms are in place, because often there’s the phenomenon that everything can be complied with. But you’re still not cyber secure?
Scott Johnson: That’s true, I’d say that this report from October represents a little bit of both. The main purpose of the report is to help the responsible entities that are subject to the reliability standards, improve their compliance with those standards as well as their overall cybersecurity posture. So I think it’s fair to say that it’s a combination of the two. FERC has been doing these annual reports for about five years, since it started the audit process. And this is really just another part of a much larger governmental effort to ensure that our electric system remains reliable in the sort of face of ever increasing cyber threats.
Tom Temin: And so far, we haven’t seen — at least I’m not aware of — a ransomware attack successfully carried out against an electrical distributor. Is that a possibility, just as it was against a pipeline?
Scott Johnson: I would say on a large scale, that’s true. I was reading recently about an electric cooperative that appears to have been the victim of what seems to be a ransomware attack. It has lost access to some of its information technology systems, although to my knowledge its operational technology systems haven’t been affected. So we haven’t seen anything certainly on the scale of the Colonial Pipeline incident from the spring and summer. But there are things out there that are happening and the government is aware of them. Just today, in fact, the Department of Homeland Security’s Cybersecurity and Infrastructure Agency put out a set of immediate steps, quote unquote, to strengthen critical infrastructure against potential cyber attacks as we move into the holiday season. So there’s a lot of awareness of this and there are a lot of different agencies of government working on it.