FERC versus NERC
A cyber security showdown?
Published In: Intelligent Utility July / August 2011
THE DEFINITION OF THE BULK POWER SYSTEM is in play-within certain circumstances-in new electric utility cyber security legislation currently moving through Congress, both via the U.S. House of Representatives and the U.S. Senate. So, too, is the potential reach and control of the Federal Energy Regulatory Commission (FERC) being stretched by the proposed new legislation.
It's an issue with the potential to draw a line in the sand with regard to federal versus state regulatory control over certain aspects of the electric grid, and it's already being met with sparks, albeit polite ones ... so far.
Defining the bulk power system
Let's begin this chapter in the latest regulatory saga by assessing the current definition of the bulk power system.
Under the Federal Power Act (FPA), Part 39 (Rules Concerning Certification of The Electric Reliability Organization; And Procedures For the Establishment, Approval and Enforcement of Electric Reliability Standards), the bulk power system is defined as "facilities and control systems necessary for operating an interconnected electric energy transmission network (or any portion thereof), and electric energy from generating facilities needed to maintain transmission system reliability."
It's important to note the last part of this definition: "The term does not include facilities used in the local distribution of energy." Nor does it apply to Alaska and Hawaii, or to some transmission facilities.
On August 8, 2005, the Electricity Modernization Act of 2005 (Title XXI, Subtitle A, of the Energy Policy Act of 2005, or EPAct 2005) was enacted into law. EPAct 2005 added a new section 215 to the FPA requiring a FERC-certified Electric Reliability Organization (ERO) to develop reliability standards, which are subject to FERC review and approval. Once approved, these reliability standards become mandatory and may be enforced by the ERO, subject to FERC oversight. In July 2006, FERC certified the North American Electric Reliability Corporation (NERC) as the ERO.
Rocking the boat
But there are new waves rocking the boat. Approximately two years ago, both the U.S. Senate and the U.S. House of Representatives began drafting legislation designed to protect grid reliability and to defend energy infrastructure from cyber and physical attack. New drafts of those proposals, strikingly familiar in their structure and wording to those of two years ago, appeared in Congress earlier this year, and were widely discussed in May and June, as this issue of Intelligent Utility went to press. In both cases, it was clear that the federal government intends to redefine FERC's powers and control over both the bulk power system and "defense critical electric infrastructure" (defined, essentially, as anything not currently covered by the legal definition of the bulk power system)-even if only for the purposes of "protect(ing) the bulk power system and electric infrastructure critical to the defense of the United States against cyber security and other threats and vulnerabilities" (according to the Grid Reliability and Infrastructure Defense, or GRID, Act proposed by the U.S. House of Representatives).
The discussion draft proposed by the Senate has similar intent.
In this corner
Understandably, this has created quite a stir, primarily focused on the roles of FERC and those of NERC, and the question floating above it all is quite simple: Why is FERC being granted new, overriding powers, flying in the face of the established role of the ERO?
In a letter to U.S. House Energy and Power Subcommittee chairman Ed Whitfield (R-Ky.) and Ranking Member Bobby Rush (D.-Ill.), American Public Power Association (APPA) president and CEO Mark Crisson said that, while the APPA supports new authority for FERC to issue emergency orders in the event of a grid security event, provisions in the GRID Act giving federal regulators increased authority to regulate electric industry cyber security vulnerabilities are "unnecessary and overly broad."
Further, he wrote, the vulnerabilities provisions of the GRID Act "could allow FERC to rewrite the entire mandatory and enforceable standards the electric utility industry has worked on for nearly eight years." The GRID Act, as drafted, would also allow the commission to enact standards without first consulting with utility experts on reliability efforts, he noted.
Gerry Cauley, NERC's president and CEO, says that, while government authority to deal with cyber emergencies is needed, and NERC stands ready to assist in responding to identified grid security threats, there are definite issues with the GRID Act, as drafted. In his written presentation to the House Energy and Power Subcommittee at the end of May, he said:
"NERC's mission is to ensure the reliability of the North American bulk power system. This responsibility encompasses the security of cyber assets essential to the reliable operation of the electric grid. NERC works with government agencies, industry and consumers to support a coordinated, comprehensive effort to address grid cyber security. NERC's FERC-approved critical infrastructure protection (CIP) reliability standards are one of only two sets of mandatory cyber security standards in place across the critical infrastructures of the United States today. In addition, NERC's three-level Alert system informs industry and recommends preventative actions to address imminent and non-imminent cyber threats and vulnerabilities.
"These existing practices should be enhanced, not pre-empted, by grid cyber security legislation."
In the opposite corner
On the other side of the argument stands Joseph McClelland, director of the FERC Office of Electric Reliability. In a presentation similar to his Senate testimony, McClelland told the House subcommittee that the procedures used by NERC, while "appropriate for developing and approving routine reliability standards ... can be an impediment when measures or actions need to be taken to address threats to national security quickly, effectively and in a manner that protects against the disclosure of security-sensitive information."
The current procedures used under Section 215 for the development and approval of reliability standards, McClelland said in written testimony, "do not provide an effective and timely means of addressing urgent cyber or other national security risks to the bulk power system, particularly in emergency situations. Certain circumstances, such as those involving national security, may require immediate action, while the reliability standards procedures take too long to implement efficient and timely corrective steps."
Ignoring the elephant
Interestingly enough, the other elephant in the room remains unaddressed by most parties to the discussion: the expansion of control-no matter whose-to include not only the bulk power system as currently defined, but also "defense critical electric infrastructure."
Distribution systems were intentionally excluded from the jurisdictions of both FERC and NERC in Section 215 of the FPA, as Cauley pointed out in his Senate Committee on Energy and Natural Resources testimony earlier in May. "If the intent is to expand the scope of authority for electric system security into distribution systems, this is a critical issue requiring involvement of the states, and also calls for consultation with asset owners and operators and other stakeholders who should be included in such a process," he told the committee.