This is the slightly unsettling story of two organizations, FERC and NERC, as they squabble over the pace of improving the cyber security of our electrical grid. For the energy acronym challenged, that's the Federal Energy Regulatory Commission (a part of the Department of Energy), and the North American Electric Reliability Corporation. And one more you're going to need to know before this is through: CIP = critical infrastructure protection.
In last week's HuffPo post: "A Less-than-Obvious Connection of Great Import: Secure the Smart Grid to Improve the Environment" I made the case that in order to lay the foundation for grid-scale renewable energy sources, we've got to ensure that the massive electric grid modernization project called the Smart Grid gives us a system that's at least as hard to disrupt via cyber attack as what we've had up until now, else no one's going to want to see it deployed.
While hundreds (and maybe thousands) of companies, associations, and federal, state and local government entities are involved in this process, the decisions and actions of FERC and NERC have a disproportionally large impact on the rest. And the problem is, they simply aren't getting along. While they're not exactly the Montagues and the Capulets, it seems that some blood may be spilled before this drama is fully played out.
This battle over how fast (FERC) or how slow (NERC) cyber security controls are added, and to how many or how few systems is being waged in public, and their communications on these matters are essentially open letters cc'd to the wider world.
Now, regulatory compliance and the desire to avoid fines aside, some utilities are working to make themselves more secure, some aren't. Some organizations consider risk management part and parcel of running a sound business; others stick their heads in the sand and hope for the best. Most utilities admit, however, that despite whatever reservations they may have with the current NERC CIP standards, that they are more secure today with them than they would be without them.
The case for going faster rests on a couple of basic facts and observations. Here are just a few:
- Attacks on energy systems are increasing in tempo and sophistication (for those who haven't heard of it yet, the recently emerging Stuxnet virus has provided a real wake up call for industry in terms of attackers' advanced capabilities
- Other industries/sectors have much more substantial security controls and governance already in place and have only benefitted from them
- Emphasizing security early in the Smart Grid window will yield benefits including cost savings and much better efficacy
- Oh yeah, and one more little thing: and our entire economy and the well being of our nation depend on secure and reliable power infrastructure
Nevertheless, there's a strong case for going slower:
- Cultural challenges inside utility co's will hinder attempts to make them change too much too quickly
- Regulatory impediments need to be resolved before the whole system can be secured. For example, the fact that the Feds only have jurisdiction over generation and high-voltage transmission assets, while policy for low-voltage distribution is left to the states, and there's little/no standardization of state policy at present) Security standards are still taking shape. NERC's CIP standards are still in their infancy, and NIST just released the 1.0 version of its "Smart Grid Cyber Security Strategy and Requirements"
- Lastly, it costs money to significantly ratchet up the security posture of any complex system, not to mention the one that's been called the greatest engineering achievement of the 20th Century.
It didn't seem to work. Most of the operators of electrical generation equipment and many of the operators of electrical transmission systems continue to say they possess zero (or almost zero) assets critical to the reliable operation of the grid. When suicidal squirrels or low hanging branches touching a wire can trigger a blackout that impacts tens of millions of people, it's hard to understand the logic of these responses from the folks whose job it is to keep the power on 24/7/365.
Then in March of this year, FERC as bad cop, fired a shot across NERC's bow, saying, in essence, that it was mad as hell and not going to take (NERC's or the utilities' resistance) any more. To wit:
[FERC] said NERC's current rules do not provide a reasonable assurance that NERC is capable of complying with FERC reliability directives and that misuse of the NERC standards development process thwarts Congress' fundamental goal of instituting mandatory standards to protect reliability of the bulk power system.
NERC stakeholders [can] veto a [FERC] directive by refusing to approve a new or modified reliability standard intended to comply with the [FERC's] directive. That happened recently when NERC attempted to develop a standard requiring each transmission and generator owner to determine the ratings of its bulk power system facilities. FERC issued the directive in 2007 and NERC has not yet complied with it.
And most recently, in an order issued last week (September 16th), FERC gave NERC a double smack down, denying requests for a rehearing and for additional delays to the timeline for improving the new security standards development process.
So something's got to give, and give it may, as just a few months ago the House of Representatives passed HR 5026, aka the GRID Act, which among other things allows FERC to bypass the NERC standards setting process and issue orders directly to utilities concerning security vulnerabilities not addressed by NERC's CIPS. With Senate approval, FERC may soon cut out the middle man altogether and impose its desire for more security sooner on the utilities, and utilities need to plan and prepare for this possibility.
If you'd like to see firsthand how the industry is handling this and other pressing Smart Grid issues, I recommend you get to (or at least pay attention to) the GridWise Global Forum coming up in DC September 21-23. Some of the most senior leaders in government and industry are going to be there. And who knows, with all this horsepower in one place, maybe they'll make some progress, even if they can't quite resolve the FERC-NERC dispute on cyber security. That's going to take some more time, and probably some pain, before it's settled. Until then, here's hoping that the current level of security being built into the Smart Grid is enough ... for the utilities ... and the rest of us.