On July 17, 2012, FERC’s Director of the Office of Electric Reliability, Joseph McClelland, testified before the Senate Committee on Energy and Natural Resources regarding grid and cyber security matters.  McClelland discussed what he believes are the general limitations of FERC’s current authority over cyber security, as well as his recommendations for new legislation to enhance the Commission’s ability to prepare for and respond to cyber attacks and other grid vulnerabilities.

McClelland first identified limitations on FERC’s existing statutory authority over reliability that he suggests inhibit the Commission’s ability to prepare for and respond to cyber-security threats.   First, he noted the Commission’s limited role in reliability standards development process under Section 215 of the Federal Power Act (“FPA”), under which FERC can only approve the reliability standards proposed by NERC or direct NERC to modify the reliability standards.  McClelland argued this process is inadequate for addressing “urgent cyber or other national security risks to the bulk power system, particularly in emergency situations.”  Second, McClelland suggested FERC’s authority is further limited by Section 215’s exclusion of Alaska and Hawaii and the exclusion of local distribution facilities from the definition of Bulk Power System.

In addition, McClelland noted that the existing reliability standards do not adequately address physical threats to the grid.  Specifically, McClelland warned against electromagnetic pulse events, which can occur naturally, or can be created through man-made weaponry. 

Finally, in renewing his call for new legislation that would expand FERC’s powers to address cyber threats and attacks on the grid, McClelland made the following recommendations for any enhanced cyber security authority:

  1. The federal government should be authorized to take proactive steps during an emergency to require “mitigation” actions before or while NERC is in the process of developing an appropriate standard;
  2. New legislation should ensure the confidentiality of sensitive information;
  3. McClelland noted that limiting any new cyber authority to the “bulk power system” as currently defined in the FPA could inhibit FERC’s authority to mitigate cyber or national security threats to “certain critical facilities and major population areas”; and
  4. Entities should be allowed to recover costs for mitigating vulnerabilities or threats.

A copy of McClelland’s testimony is available here.