On January 26, 2011, the Inspector General of the Department of Energy (“DOE IG”) released an audit report on the Federal Energy Regulatory Commission’s (“FERC” or the “Commission”) Monitoring of Power Grid Cyber Security” (the “Report”).In the Report, the DOE IG concluded that the Commission has worked towards ensuring Critical Infrastructure Protection (“CIP”) cyber security standards are developed and approved; however, these standards did not always include controls recommended for protecting “critical information systems.” The DOE IG found that the Commission’s implementation approach and schedule is inadequate and does not ensure that systems-related risks are mitigated or “timely” addressed, and the DOE IG also issued specific recommendations for the Commission Chairman, Jon Wellinghoff.
The Report highlighted that the Energy Policy Act of 2005 (“EPAct 2005”) granted the Commission jurisdiction to maintain oversight of the bulk electric system and approve mandatory cyber security reliability standards. Despite this authority, the DOE IG stated the CIP standards did not include security controls commonly recommended for systems maintained by government and industry. Additionally, the FERC-approved implementation schedule and approach for these standards did not adequately consider risk to the information systems.
In addition to security controls, the Report identified that entities in the bulk electric system may not have identified critical assets, which is important in ensuring cyber security. Entities who found that no critical assets or critical cyber assets existed were then exempt from many CIP standards. Further, according to the Report some standards even with an accurate inventory may not have met government and industry practices. The Report recommended that organizations like the SANS Institute, Information Systems Audit and Control Association and NIST provide commonly recommended security controls to protect administrative and critical infrastructure systems.
With respect to the development of reliability standards, the Report found that the current approval process and standards development process was “not timely.” The DOE IG pointed out that it took at least 41 months to develop, approve and implement the initial CIP standards. The Report noted that there are ongoing efforts to reduce comment and balloting periods and institute streamlining procedures, and these revisions could help entities respond to emerging threats.
The Report issued the following recommendations for the Chairman:
- Continue to work with Congress to obtain authority appropriate for ensuring adequate cyber security over the bulk electric system;
- Work with NERC to continue refining CIP standards to include risk-based requirements and cyber security controls to help minimize vulnerabilities to the power grid;
- Ensure timely development and approval of the CIP standards, including increasing communication with NERC and electric industry entities during the process;
- Ensure the Commission adequately monitors the performance of NERC and the eight regional entities responsible for security over the bulk electric system; and
- Ensure that cyber security performance metrics for NERC and the regional entities are developed and utilized and enable the Commission to effectively monitor and assess program performance.
Chairman Jon Wellinghoff submitted comments to the Report dated November 16, 2010. He stated that FERC believes “effective cyber security standards cannot be developed at the pace recommended in the audit report under the existing statutory framework.” Chairman Wellinghoff noted that cyber security is distinct from other reliability standards, as the attacks are “qualitatively different” and are “covert and coordinated” and “emerge with alarming speed.” Chairman Wellinghoff argued that in order to effectively and quickly respond to cyber security threats, the Commission will need additional authority to respond to the 2nd and 3rd recommendations of the Report. Chairman Wellinghoff noted that the Report criticized FERC’s decision to approve CIP standards that were deficient. He pointed out that these were a “baseline,” and FERC directed modifications to the standards as approved. Additionally, he noted that FERC, under section 215(d)(2) of the Federal Power Act (“FPA”), can only remand proposed standards to NERC to ensure they are “just, reasonable and not unduly discriminatory or preferential, and in the public interest.” He also argued that the complexity of imposing mandatory cyber security standards on diverse entities contributed to the implementation pace. Chairman Wellinghoff reiterated that FERC needs additional authority to deal with cyber security threats in a timely manner.