FERC seeking increased power
Quoting pieces from PC Magazine’s “Electrical Grid Vulnerable to Hackers, House Told”
“The harm could extend not only to the economy and the health and welfare of our citizens, but event to the ability of our military forces to defend us, since many military installations rely on the bulk power system for their electricity,” said Joseph Kelliher, chairman of the Federal Energy Regulatory Commission (FERC).
The Energy Policy Act of 2005 gave FERC the authority to approve reliability standards regarding the nation’s bulk power system. But FERC can only approve standards; it cannot actually craft them. That job falls to the North American Electric Reliability Corporation (NERC), which worked with the industry to develop standards it presented to FERC in August 2006. FERC gave those standards its final approval in January 2008.
That type of timeline is acceptable for most issues relating to the nation’s power system, but when it comes to possible cyber attacks, the government needs to be able to act within hours or days, not three years, Kelliher said.
FERC is limited by the paper shuffling and red tape created by the 2005 legislation. If FERC identifies a problem, it can order NERC to develop a solution within 60 days, but Kelliher said he is not sure NERC “could meet this schedule in practice.”
FERC “does not have sufficient authority to guard against national security threats to reliability of the electric system,” Kelliher said.
He said FERC should also be able to compel utilities to make changes, and the commission’s power should perhaps extend beyond the bulk power system, which at this point does not include Alaska, Hawaii, or local distribution facilities, which include major cities like New York and Washington, D.C.
Ok.
So after NERC’s lambasting in front of congress a few month’s ago, FERC probably feels like it needs to flex it’s muscles a little. You know, show us that it’s relevant in the space.
To me this smells of “bureaucrat seeks to increase his power using fear-mongering and scare tactics.”
The problem with granting FERC these additional powers will be obvious to anyone working in a regulated environment. Currently NERC issues standards to which utilities must comply. FERC is now seeking the ability to issue additional regulatory requirements.
You can’t serve two masters.
FERC is seeking these responsibilities under the guise that they need to respond to “urgent and sudden” threats.
But in reality, if they gain this power, it’s my contention that the situation will be worse, not better. An alternate approach should be considered.
So, what constitutes the kind of threat that would trigger a FERC requirement? Would it be the kind of threat that triggered the TSA to stop allowing passengers to carry any liquids on air-planes?
One core problem I see is that rapid, non-vetted changes in a system increases overall risk.
If this wasn’t the case, then why are our bulk power generation facilities setting up sophisticated configuration management (CM) procedures to ensure that their systems don’t move into an inconsistent state without sufficient vetting?
Additional regulation and mandate will not get us to a true, lasting security.
The regulatory environment is just plain broke in just about every instance that I see. The answer is not more regulation and oversight, the answer is using a different approach.
Achieving confidence in the security posture of the electrical grid requires a few simple things, that as of yet, are not done:
- Define what “a secure grid” looks like. A realistic view can help drive where we want to go. Security for security’s sake is a waste of time, effort, and money. Tell the industry where it needs to go.
- Build smart, responsible regulation that pushes the industry in a measurable way toward that goal.
- Develop tools and resources to facilitate this migration. For example, develop generic contract language that companies can use when making software and hardware purchases that shifts the burden of secure product development onto the appropriate party.
- Develop financial incentives to motivate the change. In the corporate security arena, you see a rapid movement toward data security in the wake of very costly data disclosures. Power operators don’t make money when the lights are out, but you can also incentivize good performance through corporate tax credits for up-time and availability.
- Foster an environment of open communication where all parties can come together to enhance their practices, policies, and procedures.
The writing is on the wall if the bulk power generation industry does not see the light and start moving aggressively toward showing a significant commitment to security.
Other industries should take note.
Bill