Attempts to Regulate the Bulk Power System Industry

By Bethany Lange

The terms “Dragonfly” and “Energetic Bear” likely conjure up images of nature, but those in the electric and cybersecurity industries know better. The names belie the destructive nature of the team of Russian hackers they represent. The sheer number of cyber attacks by this group and others on the U.S. electric grid is staggering, even if most are not as sophisticated. As explained in the first article in this electrical grid security series, physical security of the electric grid is costly to improve. However, defense against cyber attacks has proven even more complicated due to the constantly evolving nature of the threat and the relatively unresponsive bureaucratic regulation system. Whether it is another nation, a non-state actor, or even corporate sabotage, this 21st century adversary is complex and requires an equally adaptive counterstrategy. The reliance of the nation’s bulk power system on IT is a major vulnerability. Networks that can be hacked by someone sitting in front of a computer halfway around the world are inherently difficult to protect. The mission to protect the U.S. grid has been slowed by bureaucracy and unwillingness to provide enforcement mechanisms to yet another regulatory authority. However, in order to avoid the demise of becoming just another powerless authority, we must create regulators with teeth.

The United States has responded to this threat with a slew of assorted acronyms: FERC assesses CIP standards developed by NERC. This means that the Federal Energy Regulatory Commission (FERC), the government agency assigned to manage cybersecurity on a national level, oversees the reliability criterion of Critical Infrastructure Protection (CIP). CIP is the concept that encompasses the preparedness and response to events threatening U.S. critical infrastructure. It has been the role of the North American Electric Reliability Corporation (NERC), a federally backed non-profit regulatory authority, to develop these CIP standards. The creation of groups and methods to analyze power supply reliability promotes greater accountability within the industry. However, this alphabet soup of bureaucracy means little without working implementation and enforcement mechanisms.

To remedy that, in addition to organizations like FERC and NERC, past presidents and congresses have attempted to build a backbone for cybersecurity industry directives. An important legislative element of these efforts is the Energy Policy Act of 2005, which designated FERC as the overarching authority governing the reliability of the grid. In a checks and balances system reminiscent of the three branches of government, the Act gives FERC the authority to oversee, but not to create or modify the standards themselves. That job is left up to NERC. The majority of the security criteria are created at the behest of electric power industry experts in a collaborative process with NERC, such as the standards known as CIP-002 through CIP-009. These eight cybersecurity standards, which have been in effect since 2006, require facility operators to maintain records of CIP data and document risk assessments. Although historically voluntary, the standards became the first mandatory requirements for the industry in March of 2008.

Making CIP-002 through CIP-009 mandatory signaled the beginning of a movement towards greater regulation of bulk power systems. Since then, Congress has vacillated on the issue of cybersecurity. So to highlight the issue for their peers, Sen. Edward J. Markey (D-MA) and Rep. Henry A. Waxman (D-CA) collected data from over 75 utilities concerning breaches of their operations, compiled in a report published in May 2013. One utility estimated they were targeted by cyber attacks around 10,000 times per month, while others reported simply a constant barrage of threats. In response to the figures, the congressmen introduced the Grid Reliability and Infrastructure Defense (GRID) Act on March 26, 2014. With provisions to provide FERC the authority to more effectively govern the industry, such as the ability to issue its own rules if NERC does not adequately address a vulnerability, it quickly passed the House. However the Senate remained silent, passing the buck, instead, to the next congress. The act fell 8 votes short of the 60 needed, as Republican lawmakers prioritized the interests of business leaders and “protection” from further regulations. The GRID Act has been revered as long-awaited progress in the mission to protect the electric grid, but this reluctance by politicians to regulate means the industry is no closer to effectively addressing security concerns.

There is forward progress in bolstering the U.S. bulk power system, but these efforts represent just a few of a great deal of moving parts. Of course, in the typical lumbering style of a massive bureaucratic machine, the regulators of the cybersecurity system crisscross and overlap in an attempt to weave a thick enough shield to guard against the intrusions of hackers, or even terrorists. Still, in the last week of November 2014 alone, Forbes, Newsweek and CNN all published alarming pieces on the very real potential of a Chinese cyber-attack shutting down the U.S. power grid. Michael Assante, of Forbes, put it aptly, writing, “America’s critical infrastructure… has become its soft underbelly, the place we are now most vulnerable to attack.” It’s always easier to identify failures and potential downfalls of a structure than successes, but the electric grid industry and lawmakers have far to go before the threat posed by cyber attacks is greatly reduced. They must be proactive and create the regulator with enforceable authority that is so badly needed.

This is the second in a series of articles exploring the topic of U.S. electric grid security. It briefly highlights the threat of cyber attacks and evaluates the countermeasures against them.