FERC, Congress Take Aim at Cybersecurity Risks in the Electric Utility Sector
- The Federal Energy Regulatory Commission (FERC) recently issued a Notice of Proposed Rulemaking to address cybersecurity concerns involving the electric grid, specifically the risk of malicious software being introduced into industrial control systems, software and network services prior to their delivery to the customer.
- Congress has also expressed serious concerns over the cybersecurity preparedness of the electric sector.
In light of the potentially devastating economic losses that could result from a cybersecurity attack causing widespread power outages as well as continued concerns about the vulnerability of the nation's electric utility system, the Federal Energy Regulatory Commission (FERC) and both chambers of Congress have recently taken actions to address critical cybersecurity concerns to the industry.
FERC issued a Notice of Proposed Rulemaking (NOPR) on July 16, 2015, to address cybersecurity concerns involving the electric grid, specifically the risk of malicious software being introduced into industrial control systems, software and network services prior to their delivery to the customer. FERC's actions comes in response to two recently identified malware infections, one of which (Havex) was implanted in control systems and affected several European companies, and another (BlackEnergy) that was likely planted in 2011 but only recently activated.
While FERC does not have authority over upstream suppliers, it recently sought comments on how best to ensure the integrity and security of supply chain equipment and software based on those obligations on entities already subject to the North American Electric Reliability Corporation's (NERC) authority. Based on these comments, FERC has indicated it intends to direct NERC to develop a new reliability standard to implement security controls over the supply chain.
This action is a result of serious and systemic concerns over cybersecurity risks in the supply chain and, demonstrating how significant FERC considers this threat, marks only the third time that FERC has exercised its authority to direct NERC to develop a reliability standard.
FERC has also announced that it will hold a Technical Conference on Jan. 28, 2016, to "facilitate a structured dialogue on supply chain risk management." In addition, the NOPR sought to correct two other vulnerabilities it does not believe were adequately addressed by NERC's proposed cybersecurity standards. First, FERC was concerned that NERC had not provided adequate physical protections for non-programmable components, e.g., cables and switches, of the communication systems between cyber assets that could enable "man-in-the-middle" attacks utilizing intercepted data. To correct this shortcoming, FERC directed NERC to modify its proposed standard to require the protection of all communication links and sensitive data between the electric system's control centers, including those carried by third-party networks.
Second, FERC questioned NERC's proposal to only establish security controls for transient devices (such as flash drives) connected to medium- and high-impact cyber systems but imposing no restrictions for devices connected to low-impact systems. Concerned that this approach created a security gap by which malware could still reach critical cyber assets connected to low impact systems, FERC directed NERC to provide more justification for its decision.
Although FERC is respecting its existing jurisdiction and is not seeking to directly impose obligations beyond those entities already subject to electric reliability standards, its proposals will begin to substantially change the working – and ultimately, the contractual – relationship the electric industry has with its suppliers. To close these gaps that could be exploited by sophisticated hackers, purchases of control systems and software will likely be limited to providers that can certify compliance with the final standards developed by NERC, and communications over telecom wires as well as wireless networks will be subject to new security provisions.
Congress has also expressed serious concerns over the cybersecurity preparedness of the electric sector. In the past few months, the Senate Energy and Natural Resources Committee passed S. 2012, the Energy Policy Modernization Act of 2015 out of committee by a bipartisan vote of 18-4. The bill designates the U.S. Department of Energy (DOE) as the Sector-Specific Agency for the energy sector. Importantly, the bill provides for the President to notify the Secretary of Energy that "immediate action is needed to protect the bulk power system," and upon that notification, the Secretary of Energy has immediate emergency powers to order a bulk power system owner, operator or user to take actions immediately to avert or mitigate a cyber threat.
The House Energy and Commerce Committee has spent a considerable amount of time on cybersecurity concerns with the electric grid. Chairman Fred Upton (R-Mich.), as a means to more quickly move portions of his bill, attached an amendment onto a transportation-related bill, the DRIVE Act, that includes the text of the Energy Policy Modernization Act of 2015. The House and Senate will go to conference on the DRIVE Act with the amendment included, expediting the language and potentially seeing that included in the final bill that the President is expected to sign into law. The bill could be completed as early as the end of this year.
At the same time, both the House and Senate have been working on cybersecurity legislation that will also go to conference shortly. The Senate recently passed S. 754, the Cybersecurity Information Sharing Act, which includes a provision with two requirements for the U.S. Department of Homeland Security (DHS). First, DHS would be required to create a program to mitigate cybersecurity attacks against critical infrastructure, and, second, DHS must assess whether all critical infrastructure should be required to report a cybersecurity attack to both DHS and its respective Sector-Specific Agency. These provisions include all aspects of the energy sector and are on a broader scale than the sector has seen in the past.
As cybersecurity concerns mount and concerns over physical security reinsert themselves in the electric utility sector, expect more oversight from FERC and increased activity at NERC, along with similar efforts from DOE and DHS.
Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem. Moreover, the laws of each jurisdiction are different and are constantly changing. If you have specific questions regarding a particular fact situation, we urge you to consult competent legal counsel.