recommended reading

Debate heats up over cybersecurity regulations for electric utilities

Representatives from the electrical industry sharply criticized on Tuesday a proposal in the House to extend federal regulation to include local power plants in major cities to protect them and the national power grid from cyberattacks.

Under the 1935 Federal Power Act, the Federal Energy Regulatory Commission enforces security standards for most of the nation's power plants, including facilities and control networks -- known as bulk power systems -- that connect power systems. But the commission does not have regulatory jurisdiction over electrical systems outside the continental United States and to local distribution facilities, which include some in large cities such as New York and Washington. These systems are connected to the bulk power system through computer networks.

"How can we possibly limit the authority to the bulk power system only when [computer networks] are all interconnected?" asked Rep. Edward Markey, D-Mass., during a hearing before the House Subcommittee on Energy and the Environment, which he chairs.

The North American Electric Reliability Corp. (NERC), a self-regulatory organization run by the industry, develops the security standards for individual power plants, which includes the local distribution facilities.

Lack of federal authority to enforce standards industrywide opens the system to cyberattacks, Markey argues, because an attacker could target an individual power plant, which could cause outages across broader regions of the electric grid. "We have to close that regulatory black hole" between the federal authority and NERC's jurisdiction, Markey said.

The House introduced two bills this year that would amend the Federal Power Act to address cybersecurity. The 2009 Bulk Power Protection Act, H.R. 2165, introduced by Rep. John Barrow, D-Ga., would require FERC to protect the bulk power system against cybersecurity threats and authorize the commission to issue orders for emergency protective measures in case of an imminent cybersecurity threat to the system.

An amendment to the 1935 Federal Power Act, H.R. 2195, introduced by Rep. Bennie Thompson, D-Miss., would extend FERC's jurisdiction beyond the bulk power system to include all transmission and distribution facilities, and also direct the commission to establish mandatory interim measures to protect against known cyber vulnerabilities or threats.

"To prevent a significant risk of disruption to the grid, legislation should allow the commission to take action before a cyber or physical national security incident has occurred," said Joseph McClelland, director of FERC's Office of Electric Reliability. He also said jurisdiction should include all transmission and local distribution facilities. "[FERC's] current authority is not adequate to address cyber or other national security threats to the reliability of our transmission and power system," McCelland said.

But representatives from the electric utility industry opposed more federal authority over security standards. "The threat issue is where we believe the focus is best served" by the federal government, said Gary Brown, chairman of the New York Public Service Commission. "A process established by Congress, that would say if there is an imminent threat, exactly what the process would be -- that's the most important part of any legislation."

John DiStasio, general manager and chief executive officer of the Sacramento Municipal Utility District, told the committee, that "the diversity of our systems leads us to not necessarily have a one-size-fits-all way to control [vulnerabilities]."

David Cook, NERC's vice president and general counsel, said Barrow's bill, H.R. 2165, would allow FERC to set standards for how electrical utilities respond to an attack, regulations that are acceptable to the industry. But the Thompson bill, H.R. 2195, he said would allow the federal commission to set standards for how utilities should address cybersecurity vulnerabilities and authorize FERC to "adopt rules or orders without notice or hearing." The industry opposes this authority.

NERC currently develops standards to keep electrical power operational through a public process that allows stakeholders to comment. Congress and FERC have criticized this process, saying it would not quickly respond to an urgent cyber or national security risks.

Rep. Fred Upton, R-Mich., warned against what he viewed as overregulation of the industry but also emphasized the need to address vulnerabilities before an attack occurs. "If we see a threat come in, that's presumably too late," he said. "That's why we need legislation."

The Committee on Energy and Commerce is considering H.R. 2165, and the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology is reviewing H.R. 2195.

Threatwatch Alert

Software vulnerability

Malware Has a New Hiding Place: Subtitles

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.