Congress is considering a bill that will expand the Federal Energy Regulatory Commission’s (FERC) authority to directly address cyber security threats. The House of Representatives’ Subcommittee on Energy and Air Quality has before it a discussion draft of a bill, the Bulk Power System Protection Action of 2008, that will amend the Federal Power Act to address known cyber security threats to the reliability of the bulk power system and to provide FERC with emergency authority to address future cyber security threats. The proposed bill would allow FERC, upon directive by the President, to issue emergency orders directing any owner, user or operator of the bulk power system to take actions necessary to protect the reliability of the bulk power system against an imminent cyber security or other national security threat.
The integrated nature of the electric and communications systems in today’s bulk power system, make it uniquely vulnerable to a cyber attack. There are multiple points of communications between the power generator, regional transmission operator, transmission substation, distribution substation and the ultimate consumer. In addition, the advent of technologies such as “smart grid,” create even greater vulnerabilities as they introduce additional access points to the communication systems used to operate the electric grid. The Vice President of Exelon Corporation, Steven Naumann, testifying on behalf of the Edison Electric Institute (EEI) and the Electric Power Supply Association (EPSA) at a September 11, 2008 hearing before the House Subcommittee on Energy and Air Quality, stated that the electric utility industry relies increasingly on digital information and controls making cyber security a constant challenge for the industry. FERC echoes these concerns raising the alarm that “damage from cyber attacks could be enormous” and noting that a cyber attack could lead to a widespread disruption of electric service that could quickly “undermine our government, military readiness and economy, and endanger the health and safety of millions of citizens.”1 FERC believes its current legal authority is inadequate to protect the grid in the event of a cyber attack.
Presently, pursuant to Section 215 of the Energy Policy Act of 2005 (EPAct 2005), FERC has oversight over the imposition by the Electric Reliability Organization (ERO) of reliability standards for owners, operators and users of the bulk electric power system, including standards that address cyber security issues.2 However under the Section 215 process, FERC’s authority is limited in that it cannot issue any reliability standards or make any modifications; rather, it may either approve or remand a proposed standard to the ERO. To date, NERC, the designated ERO, has issued and obtained FERC approval of cyber security reliability standards.3 However, these cyber security standards took NERC and the industry approximately three years to develop. FERC Chairman Kelliher testified before the House Subcommittee on Energy and Air Quality that while Section 215 is “an adequate statutory foundation to protect the bulk power system against most reliability threats” the “threat of cyber attacks or other intentional malicious acts against the electric grid is different.” FERC warns that the damage from cyber attacks could be enormous, eclipsing the damage resulting from the August 2003 blackout. FERC therefore seeks through legislation the authority to act quickly to protect the grid, to act in a manner where action is mandatory rather than voluntary, and to protect security-sensitive information from public disclosure.4 FERC has requested legislation that will allow it to act promptly to protect the electric system against current cyber threats as well as future cyber and other national security threats.
While the prominent electric trade associations, EEI, EPSA, National Rural Electric Cooperative Association (NRECA), and the American Public Power Association (APPA), agree that it is appropriate for Congress to consider legislation providing FERC new authority to address emergency cyber security threats, they advocate a more conservative approach than FERC. These associations believe that cyber security legislation should complement, not supplant, the mandatory reliability regime established under Section 215 of EPAct 2005 and should be limited to true emergency situations.
The associations and FERC diverge on three areas of the draft cyber security bill, each of which are in line with the associations’ desire to limit the scope of the legislation to cyber security emergencies. The first area of disagreement is the definition of cyber security threat. The associations advocate a narrowly tailored definition that would define the term to require a substantial likelihood of a malicious act and a substantial possibility of disruption to the operation of the system. FERC suggests a broader definition of cyber security threat which would include circumstances where there is credible information or evidence of (1) the likelihood of a malicious act that could disrupt the operation of electronic devices and communication networks that are essential to the reliable operation of the bulk power system or (2) a substantial possibility of disruption to the operations of such devices and networks in the event of such a malicious act.
The second area of disagreement is whether the legislation should be expanded to give FERC authority to act in response to both cyber security threats and “other national security threats.” Although the proposed bill does not define national security threats, Chairman Kelliher notes that such language is intended to cover “intentional physical malicious acts (targeting, for example, critical substations and generating stations).”5 The associations are wary of this broad language, noting that it is vague and potentially all-encompassing.
Third, the associations seek the inclusion of a sunset provision to apply to both interim measures and emergency measures that FERC may implement in response to a cyber security threat. The associations argue that any measures or orders that should be ongoing should be replaced by reliability standards developed by NERC through the open, collaborative Section 215 procedures.
What notably is missing from the discussion regarding the new cyber security legislation is whether a utility’s cyber security costs resulting from future FERC action will be recoverable and the fact that FERC’s broad civil penalty authority under EPAct 2005 would allow it to assess utilities civil penalty up to $1 million per day for failure to timely comply with any emergency FERC order issued pursuant to its authority under the proposed bill. These potential financial repercussions should be a concern for utilities, generators and transmission operators.