As Congress considers legislation to protect critical infrastructure from cyber attack, the electric power industry continues to work with federal, state and local governments to protect bulk power system reliability and security. The electric utility industry is fully cognizant of the seriousness of the issue, and it is in the industry's best interest to protect against cyber and physical attacks. When the lights go out, for whatever reason, we are held responsible.
In fact, beginning in the late 1990s, the industry itself put forward legislation to ensure that reliability and cyber security standards were mandatory and enforceable by the Federal Energy Regulatory Commission (FERC), and that legislation was ultimately included in the Energy Policy Act of 2005 (EPAct05).
The North American Electric Reliability Corporation (NERC) also has put in place policies that allow, when necessary, for the confidential and expedited or emergency development of reliability standards, including those related to cyber security. However, the industry, including the American Public Power Association (APPA), has recognized that, in the case of cyber security emergencies, additional authority is necessary to ensure rapid, confidential communication between the federal government and industry. Therefore, a broad coalition of electricity stakeholders has supported legislation with such authority.
The members of APPA, along with our industry partners, believe that any additional legislation to address the cyber security of the nation's electric power system should be based on core principles and take into account cyber security protection efforts already underway, including those initiated under EPAct05.
Any cyber security legislation must support the strong industry partnership with government agencies in the United States and Canada already in place. For example, the electric power industry works very closely with the Department of Homeland Security, the Department of Energy, FERC and various Canadian agencies to obtain needed information about potential threats and vulnerabilities to the bulk power system. The industry also works closely with NERC to develop mandatory reliability standards to address cyber security vulnerabilities (known as Critical Infrastructure Protection standards). In addition, NERC, in its capacity as the Electric Sector Information Sharing and Analysis Center, uses its alert and advisory procedures to provide members of the electric power industry with timely and actionable information from various federal agencies to assure the continued reliability and security of the nation's electric systems. Consequently, the legislation should include language to ensure that NERC and the industry have a statutorily mandated partnership with FERC as cyber security emergency rules are developed under the new law.
Legislation should support NERC's standards development process, which yields mandatory cyber security standards for the bulk power system that are clear, technically sound and enforceable, that garner broad support within the industry, and that can be implemented in both the United States and Canada on the interconnected North American transmission grid. At present, the proposed legislation does not strike the proper balance in the standard-setting process. FERC should oversee the process, but it does not have the technical expertise to write the cyber security rules. That job is best left to NERC and the industry. NERC is striving to draw from the state-of-the-art cyber security controls and countermeasures, through consideration of the NIST framework for cyber security, and to integrate that framework into NERC's existing cyber security standards.
NERC, as an organization, and the industry have made a significant commitment of resources to the development of revised and new cyber security standards. In fact, we have committed some of our scarcest resources — our subject-matter experts in cyber security and system operations — to the task of developing “second-generation” standards for consideration by the industry as a whole.
Finally, it is vital to the protection of the grid that any legislation works to improve the information flow between government and the electric power industry In the event the industry does need government intelligence on a particular threat or vulnerability, it is critical that such information be timely and actionable.
After receiving this information, the electric power industry can then direct its expert operators and cyber security staff to make the needed adjustments to systems and networks to ensure the reliability and security of the bulk power system. In our view, it is appropriate for FERC to rely on the technical and operational expertise of the industry in this regard.
The electric power industry is fully committed to taking the needed steps to maintain and improve bulk power system reliability and security, and stands ready to work with Congress, FERC, other government agencies and NERC on these critical issues.
Mark Crisson is president and CEO of the American Public Power Association.