House Hearing Highlights Fight Over FERC Cybersecurity Powers-Energy Washington Week
The House energy committee at presstime was scheduled to hold a hearing Oct. 27 to address the controversial issue of how much Congress should expand FERC’s authority for dealing with cyber-attacks and “physical” threats to the grid in the face of the commission’s arguments that it needs significantly expanded powers to meet a growing national security threat. The issue sets up a potential clash between FERC and the electric power industry, which is advocating for a more limited authority for the commission out of concern that federal officials in dealing with cybersecurity concerns might alter the current reliability standards process that provides for extensive industry participation.
The hearing comes after the House Homeland Security subcommittee on emerging threats, cybersecurity, and science and technology held its own hearing July 21 at which FERC’s Office of Reliability Director Joseph McClelland testified that the commission’s current authority is “not adequate” to deal with cyber-attacks or other national security threats to the U.S. transmission and power system and warned that limiting new FERC authority to the bulk power system would pose significant risks.
The Oct. 27 energy committee hearing “is a turf battle,” says a lobbyist closely tracking the issue, who notes that the Homeland Security Committee wants a cybersecurity role for the Department of Homeland Security (DHS), which is under its jurisdiction, while the energy committee wants an electricity focus and to keep the emerging issue within the purview of FERC and DOE. In addition, within the Obama Administration there is disagreement over whether FERC or DOE should be the lead agency on the issue, and DHS also wants a role, the source says.
Although an energy committee spokesperson did not return calls about the hearing, knowledgeable sources say the focus of the hearing will be H.R. 2165, the Bulk Power System Protection Act of 2009, introduced April 29 by Rep. John Barrow (D-GA), and cosponsored by Reps. Henry Waxman (D-CA) and Ed Markey (D-MA). The committee will also examine H.R. 2195, a bill that amends the Federal Power Act to give FERC new cyber authorities. Energy committee Ranking Republican Joe Barton (R-TX) reportedly has no objections to H.R. 2165, and industry groups generally support it, says one industry source.
The bill would, among other things, authorize FERC “to issue orders for emergency protective measures if the president provides FERC with a determination that an imminent cybersecurity threat to the system exists.” It would also direct FERC “to promulgate rules and procedures to prohibit the unauthorized disclosure of certain unclassified sensitive cybersecurity information.” It would also amend the Federal Power Act to require FERC to “establish measures to protect the bulk power system against cybersecurity threats resulting from vulnerabilities” that the North American Electric Reliability Corporation (NERC) identified in a June 2007 analysis sent to “Electricity Sector Owners and Operators” and to deal with “related remote access issues.”
An electric power source notes that a broad industry coalition representing “a rare instance of cooperation” agrees that FERC should receive some new cyber-threat authority to deal with issues for which NERC has not developed a standard, but FERC’s authority should be “limited in time.” In contrast, “FERC wants as much authority as it can get,” the source says, including authority over physical threats to infrastructure. The coalition includes the Edison Electric Institute, American Public Power Assn., National Rural Electric Cooperative Assn., Electric Power Supply Assn., ELCON, the Large Public Power Council, National Assn. of Regulatory Utility Commissioners, the Transmission Access Policy Study Group, and the Canadian Electricity Assn.
In testimony at a May 7 Senate energy committee hearing on a “Joint Staff draft” bill, EEI’s Executive VP for Business Operations David Owens touched on some of the broad industry concerns. He commented that any new FERC or DOE statutory authority “should be limited to true emergency situations where there is a significant declared national security or public welfare concern.” In such cases, “it is imperative that the government can provide appropriate entities clear direction about actions to be taken, and assurance that those actions will not have significant adverse consequences to utility operations or assets, while at the same time avoiding any possible confusion caused by potential conflicts or overlap with existing regulatory requirements,” Owens testified.
He also commented that, “Legislation in this area should complement, not supplant, the mandatory reliability regime already established under FPA Section 215, and any new federal authority should be appropriately narrow and focused only on unique problems that cannot be addressed under Section 215. The Section 215 mandatory reliability framework reflects years of work and broad consensus reached by industry and other stakeholders in order to ensure a robust, reliable grid. It should not be undermined so early in its implementation.”
But Yvette Clarke (D-NY), the DHS subcommittee chair, at the panel’s July 21 hearing complained of an industry “head-in-the-sand mentality” on cyber threats, saying, “Many in industry are apparently trying to avoid compliance with their own inadequate standards. I am deeply concerned about this irresponsible behavior. A letter dated April 9, 2009, which is atta