On May 5, 2011, Joseph McClelland, the Director for the Office of Electric Reliability (“OER”) of the Federal Energy Regulatory Commission (“FERC” or the “Commission”) testified before the Senate Committee on Energy and Natural Resources (“Energy Committee”) on FERC’s oversight of grid reliability under section 215 of the Federal Power Act (“FPA”) and the Commission’s use of FPA authority with regards to cybersecurity. McClelland also stated FERC currently does not have enough authority to protect the grid from cyber or physical attacks; thus, more legislation is needed to provide the Commission with adequate authority.
McClelland proposed that Congress should act to:
- give the Secretary of Energy the authority to act on cybersecurity threats, regardless of where NERC stands in developing a particular standard;
- allow the Commission to maintain confidentiality and limit distribution of any sensitive information;
- expand FERC authority to any entity that owns, controls, or operates critical electric infrastructure;
- provide entities with cost-recovery of implementation of any mitigation for vulnerabilities or threats; and
- ensure all legislation on national security threats cover cybersecurity threats, natural threats (i.e., geomagnetic disturbance), intentional physical acts including the use of an electromagnetic pulse (“EMP”).
McClelland stated FERC is limited because it may not modify or author a mandatory reliability standard. Instead, the Commission may only remand the standard back to the North American Electric Reliability Corporation (“NERC”) for edits. Further, McClelland stated the Commission’s authority is limited to the “bulk power system,” and this leaves Hawaii, Alaska, all local distribution facilities, and some transmission facilities outside of FERC’s jurisdiction.
McClelland used as an example the long process for approving Critical Infrastructure Protection (“CIP”) Reliability Standards as an example of how the system is left vulnerable while standards are developed through an “open and inclusive process.” Although NERC has expressed concerns over how long it has taken to even identify critical assets, the current process for drafting and proposing CIP standards has taken years and many iterations of standards. The 2008 standards the FERC approved took approximate three years to develop. Thus, McClelland supported a more efficient and confidential process for matters of national security, and he also stated voluntary participation in NERC’s formal notice process are not sufficient to protect the bulk power system.
Smart Grid was also addressed in McClelland’s testimony, and he expressed concern over advanced metering infrastructure (“AMI”) because a user would be allowed to remotely disconnect service. Currently, an entity may determine if AMI used for controlling critical areas of the bulk power system is a “critical cyber assets.” This makes the AMI subject to mandatory CIP standards based on self-determination, and this is precarious for reliability since AMI could be used to control hardware, software, data, and disconnect all customers with an AMI device.
Finally, McClelland discussed the need to address physical threats to the bulk power system. This includes use of an EMP device and naturally occurring events such as storms and solar flares. Currently, the existing reliability standards do not extend to such physical threats, but physical threats can be just as damaging as a cyber attack.
A copy of Joseph McClelland’s testimony is available here.