State Regulators Address Cyber-Security Concerns

by Philip Jones

As utility systems become modernized, companies are introducing a number of wireless elements to the system. These new technologies, such as smart meters, synchrophasers, and real-time monitoring of the transmission and distribution system, bring a new level of awareness and efficiency to the electricity grid. They can give consumers more control over their usage, and provide greater situational awareness to the utilities about the overall condition of their systems.

At the same time, though, these new technologies also carry a new level of risk. Internet Protocol (IP) systems are vulnerable to hacking, and IP-based technologies on the utility grid are a particularly attractive target. Engineers and IT experts may debate just how much damage a hacker could do through a single smart meter, but make no mistake: Electric utilities and their regulators are taking this issue seriously.

The utility industry and its regulators deal with a broad range of risks every day. Aging infrastructure poses substantial safety and reliability risks. Required investments in pipelines, and cleaner and more efficient power plants, transmission, and smart meters, raise financial and economic risks. And uncertainty over the direction of U.S. energy policy creates political risk.

All of these risks have one common element: the need to work together—either between different levels of government or in a public/private partnership—to keep the lights on, the gas flowing, the water safe, and the rates affordable.

Through this lens, state utility regulators are addressing the issue of cyber security. I have made it my central theme during my tenure as president of the National Association of Regulatory Utility Commissioners (NARUC). Through workshops, events, primers, and much more, NARUC and state regulators are educating ourselves, asking tough questions, and working as closely as possible with our federal and industry counterparts to ensure that the nation’s regulated utilities are shoring themselves up against a potential cyber attack.

Thankfully, the electric utility industry’s efforts to protect itself are already well under way. The industry is subject to mandatory cyber-security standards through the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP) standards, approved by the Federal Energy Regulatory Commission (FERC). These standards apply to the utilities’ high-voltage transmission systems. Whether this process should be replicated for other utility industries is a decision pending before Congress, but we believe this long-standing program for the electric industry at the bulk-power level has been well tested and works reasonably well. But we certainly recognize that the nature and frequency of the threats are increasing, and we collectively need to collaborate to develop effective defenses and information-sharing mechanisms to cope with such threats.

Under current law, FERC approves, rejects, or returns with recommendations for revision the proposed standards developed by NERC. In fact, FERC recently approved, in large part, the CIP version 5 standards proposed by NERC, while remanding several issues back to it for possible revision. This process puts those who know their system best—the companies themselves—in charge of putting the standards together, and gives the federal government an opportunity to review and revise. Any congressional cyber-security legislation should retain this system.

At NARUC, we have worked closely with Representative Mike Rogers, Chair of the House Intelligence Committee, and commend him for his single-minded focus on this issue. His legislation, called CISPA (the Cyber Intelligence Sharing and Protection Act), marks a strong starting point in recognizing that the federal government will not have all the answers. We will continue to work with Chairman Rogers going forward, as well as key leaders and committees in the Senate as they deliberate on cyber-security issues.

This does not mean, though, that the energy utility sector should rest on its laurels. Complacency is simply not an option in the dynamic world of cyberspace. The existing process is a good, transparent way of developing standards for vulnerabilities in the nation’s transmission grid, but it may not be enough to handle dynamic cyber threats. These threats have the exact opposite characteristics of the FERC-NERC process in that they are hidden, dormant, fast-acting, and do not care about audits or transparency.

This means that the industry and the federal government must find better ways to communicate and share information. Our federal intelligence agencies have the resources, capabilities, and personnel to keep tabs on the bad actors who are trying to wreak havoc with our nation’s infrastructure. If the federal government knows of imminent threats to our electric system, they should take whatever steps necessary to address the problems quickly.

The NERC-FERC standards apply only to the high-voltage transmission system, or the “bulk-electric system.” The rest of the grid consists of distribution and local power lines that deliver the electricity to our homes and businesses at the local and neighborhood levels. There are no federal rules or standards for the distribution network because these systems are overseen ably by state regulators. Through our investigations and collaboration with federal agencies, we are acutely aware that such local distribution systems can be penetrated, and we are proactively addressing vulnerabilities by reaching out to utilities and reviewing their cyber- and physical-security plans.

Our regulatory system puts the burden of proof on the utilities themselves. They own the networks and, therefore, should know where any vulnerabilities may exist. This is true whether we’re talking about a hurricane, tornado, or potential cyber attack. Given the geographic disparities in the United States, the needs of a utility in the states of Washington or New York are likely far different from a utility in Missouri or Kentucky.

Remember, the utility industry deals with risks and vulnerabilities every day. From severe weather events to car accidents and human error, utilities face all kinds of threats to their systems. But we do not have a federal Department of Hurricanes. We don’t have nor need federal standards for rebuilding the system after a major storm takes a good chunk of it down. Utilities are adept at rebuilding their systems quickly, safely, and reliably. Yet we rely heavily on the projections and analysis of federal agencies such as the Federal Emergency Management Agency and the National Oceanic and Atmospheric Administration’s National Weather Service before and after a storm hits. We communicate across all levels of government in preparation for a storm and in our response after a storm. This is exactly the kind of communication and information sharing that will serve us well as we deal with cyber threats.

State utility regulators understand what is at stake, and through NARUC and other resources, we are educating ourselves and asking key questions of our regulated utilities. We are interacting with federal agencies and building greater awareness of the situation. At the NARUC level, we have published primers and held training sessions in more than half of our 50 states. We’ve also held sessions at our three annual meetings. And I’ve used the bully pulpit of the NARUC presidency to discuss this issue with our members, utilities, and federal officials, as well as with fellow energy regulators in Canada and the European Union.

Some utilities and others have asked, Why are our regulators so active on this? Shouldn’t they await federal action? The answer is simple: We can’t wait. We are supportive of the efforts of Chairman Rogers and other leaders in the House and Senate to enact cyber legislation, but whether Congress can agree on a plan this year or next is unknown. Therefore we must be proactive at the state and local government levels, working with the utilities and infrastructure owners.

Our members may not be software engineers or IT experts, but we know well-placed questions will prompt well-considered responses. If utility consumers are paying for cyber protections, we must be confident that each utility has a comprehensive plan developed by its chief information officer and chief security officer, which is then approved by the CEO and fully vetted and approved by the Board of Directors.

For state regulators, dealing with cyber security is a new kind of risk. We deal with many types of risks and uncertainties when planning for our energy future, such as storm outages and restoration, environmental regulations, and hardening the system for severe weather. But cyber risks are constantly evolving and require immediate action when we know of imminent breaches to the system. We believe we are ready to face these new challenges and are doing all we can to enhance our capabilities and collaborate with fellow state agencies and the utilities under our jurisdiction. We are pursuing the same sort of collaboration with our colleagues at the federal level, including those who have the responsibility to protect our common defense and national security. It’s only through such collaboration and cooperation that we will be successful in protecting our privately owned infrastructure, and thereby ensure our country’s readiness and economic prosperity.

Commissioner Philip Jones of Washington was elected President of the National Association of Regulatory Utility Commissioners in November 2012. He was appointed to the Washington Utilities and Transportation Commission in 2005. Prior to his commission appointment, he served as managing director of Cutter & Buck (Europe), BV in Amsterdam, the Netherlands for five years and a as senior legislative assistant to former Washington Sen. Daniel J. Evans.