by David Owens, Edison Electric Institute
Protecting the nation’s electric grid is a top priority for utilities. Traditionally, this has meant guarding against primarily weather-related outages. With the move toward the smart grid, where utilities use the Internet or phone lines instead of internal networks to control their electric systems, we have broadened our mission to include protecting against potential cyberattacks.
The electric power industry uses various strategies to protect our computerized systems. With cybersecurity threats continuing to evolve and our cyberadversaries likely to become more sophisticated, we welcome the effort underway in Congress to give the federal government legal authority to deal with imminent or actual cyberattacks.
This new legislation, though, should be limited to emergencies where there is a need to act quickly to counter a national security or public welfare concern. And this new authority should complement–not supplement–the effective process now in place to ensure a reliable grid.
Current law provides the means to address routine, nonemergency cybersecurity issues. Congress enacted these and other measures as part of the Energy Policy Act of 2005. New reliability standards are developed as needed through the North American Electric Reliability Corp. (NERC), which uses a stakeholder process that involves the owners, users and operators of the North American electric grid. Once a standard is developed, NERC submits it to the Federal Energy Regulatory Commission (FERC) for review. If approved, the standard becomes legally binding and enforceable in the United States.
We recognize that, although comprehensive, this process is not suited for creating standards to address cybersecurity issues that rise to the level of a national security emergency requiring immediate attention. Rather than creating broad new federal regulatory mandates, we urge Congress to draft legislation that specifically addresses only those cybersecurity threats that the president or secretary of energy deems serious enough to merit special federal emergency authority to protect the country’s bulk power system.
Once a federal emergency order has been issued, a sole federal agency should be given the authority to address it. This will eliminate confusion and possible overlapping or conflicting authority or orders.
This authority also should be limited to the bulk power system as defined in Section 215 of the Federal Power Act. Extending emergency authority broadly to include all distribution systems, as well as systems outside the contiguous 48 states, will significantly complicate writing clear, unambiguous orders given the tremendous diversity of assets, entities and operating conditions that must be considered in crafting such an emergency order.
In addition, the focus of the legislation should be the unique nature of a cyberthreat and not a physical security threat. The latter is more than adequately covered by existing law enforcement authorities with whom utilities already work.
Finally, any emergency order issued by the federal government should sunset after 90 days or when the measures to respond to a particular threat have been replaced by a standard developed through NERC processes.
Even with well-crafted legislation that gives the federal government emergency authority to deal with cybersecurity threats, protecting the grid against cyberattacks will demand other measures. One is a closer working relationship between the electric utility industry and governmental agencies that have the best access to intelligence about cyberthreats to electric utility systems. EEI and its member companies already have been working with governmental agencies–the national laboratories, the FBI, Department of Homeland Security, Department of Energy, the Office of the Director of National Intelligence and FERC. We welcome more coordination and information exchange with these agencies.
Another protection against cyberthreats is ensuring that equipment manufacturers adequately fulfill their security responsibilities. With more digital electronic devices and communication systems being introduced to serve the grid, it is vital that suppliers adopt security practices in their organizations, build security into their products and establish programs that can inform utilities about new vulnerabilities as they are discovered, as well as provide technical assistance with solving them.
Toward these goals, we support the process underway at the National Institute of Standards and Technology to develop a framework of equipment standards that will become the foundation of a secure, interoperable smart grid. We also encourage development of a security certification program that would independently test smart grid components and systems and certify that they pass security tests. This certification process would help utilities select only those systems that provide appropriate cybersecurity.
The smart grid promises a transformation in the way electric power is transmitted, distributed and consumed. Electric utilities, their customers and the planet stand to benefit as a result. Making sure we have the proper cyber safeguards will enhance the opportunity for us to realize those benefits.
On the Net: EEI site: http://eei.org
David Owens is executive vice president of Edison Electric Institute.