In late June 2020, the Federal Energy Regulatory Commission (FERC) released a Notice of Inquiry¹ (NOI) in which they asked detailed questions about the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the risk and impact of a coordinated cyberattack on the bulk electric system (BES). A recurring question throughout the NOI was whether low-impact cyber systems should be subject to the same North American Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards currently required of medium- and high-impact BES cyber systems.

The policy outcome that arises from this attention on the BES will need to balance the government interest in protecting the nation against a coordinated cyberattack and industry concerns about regulatory burden. This is especially important as low-impact systems are usually smaller and often have fewer resources than their larger, medium- and high-impact system counterparts. To balance these interests, one potential solution would be to implement certain NERC CIP controls and NIST concepts for low-impact cyber systems that will have the most impact:

1. NERC-CIP’s Asset inventory (CIP 002-5.1a)²…

Read More…

On August 5, 2020, members of the Senate Energy and Natural Resources Committee questioned witnesses from the power industry and the federal government about the readiness of the United States bulk-power system (BPS) for a cyberattack. The witnesses were Thomas O’Brien, Senior Vice President and CIO of PJM Interconnection, LLC (PJM), Alexander Gates of the Department of Energy’s (DOE) Office of Policy for Cybersecurity, Energy Security, and Emergency Response (CESER), Joseph McClelland, Director of the Federal Energy Regulatory Commission’s (FERC) Office of Energy Infrastructure Security (OEIS), and Steve Conner, President and CEO of Siemens Energy, Inc. The hearing touched on many issues related to cybersecurity, including the Trump Administration’s recent Executive Order 13920 regarding the security of the BPS, which we discussed here.

Committee Chair, Sen. Lisa Murkowski (R-AK), opened the hearing by noting the importance of cybersecurity and observing that cyberattacks on the power grid are “near-constant and only growing more sophisticated.” Nor are such attacks confined to the power grid; the Senator mentioned recent attacks on both the DOE’s Hanford Site…

Read More…

Power sector supply chains, hard hit by the COVID-19 pandemic, are feeling the double whammy of uncertainty posed by a broad U.S. executive order.

As was clear at the Federal Energy Regulatory Commission’s (FERC’s) July two-day virtual technical conference to assess the pandemic’s impact on the energy industry, COVID-19 has introduced multiple uncertainties for the power sector. Summarized by the North American Electric Reliability Corp. (NERC), the most crucial risks posed by what it called a “people” event, focus on maintaining critical staff needed to operate and maintain the bulk power system (BPS) and mitigating supply chain issues. The latter, as the Edison Electric Institute’s Philip D. Moeller noted, has been vastly compounded by financial troubles posed by “decreased demand, lower commodity prices, reduced access to credit and reduced market liquidity, increased delinquencies, insolvent customers/unrecoverable defaults, lower and/or more volatile stock prices, construction delays, and lags in rate recovery.”

As a number of participants at the conference pointed out, supply chain issues haven’t yet cropped up in any substantial way, mainly…

Read More…

The Federal Energy Regulatory Commission (FERC) issued a Notice of Inquiry (NOI) on June 18, 2020, requesting comments on potential enhancements to the current U.S. Critical Infrastructure Protection (CIP) Reliability Standards (CIP Standards). In the NOI, FERC also seeks input on the potential risk of a coordinated cyberattack on geographically distributed targets and the need for FERC to address such risk.

In a related development, that same day FERC Staff (Staff) issued a Cybersecurity Incentives Policy White Paper (the White Paper) that discusses a potential new framework for providing transmission incentives to utilities for cybersecurity investments. The Staff presents a framework for providing transmission incentives to utilities “for cybersecurity investments that produce significant benefits for actions that exceed” the CIP Standards.

The NOI

CIP Standards are mandatory and enforceable following their approval by FERC. They are intended to provide a risk-based, defense-in-depth approach to cybersecurity of the bulk electric system (BES).

An important source for improving the CIP Standards to address evolving cyber threats is the National Institute of Standards…

Read More…

Read More…