recommended reading

Debate heats up over cybersecurity regulations for electric utilities

Representatives from the electrical industry sharply criticized on Tuesday a proposal in the House to extend federal regulation to include local power plants in major cities to protect them and the national power grid from cyberattacks.

Under the 1935 Federal Power Act, the Federal Energy Regulatory Commission enforces security standards for most of the nation's power plants, including facilities and control networks -- known as bulk power systems -- that connect power systems. But the commission does not have regulatory jurisdiction over electrical systems outside the continental United States and to local distribution facilities, which include some in large cities such as New York and Washington. These systems are connected to the bulk power system through computer networks.

"How can we possibly limit the authority to the bulk power system only when [computer networks] are all interconnected?" asked Rep. Edward Markey, D-Mass., during a hearing before the House Subcommittee on Energy and the Environment, which he chairs.

The North American Electric Reliability Corp. (NERC), a self-regulatory organization run by the industry, develops the security standards for individual power plants, which includes the local distribution facilities.

Lack of federal authority to enforce standards industrywide opens the system to cyberattacks, Markey argues, because an attacker could target an individual power plant, which could cause outages across broader regions of the electric grid. "We have to close that regulatory black hole" between the federal authority and NERC's jurisdiction, Markey said.

The House introduced two bills this year that would amend the Federal Power Act to address cybersecurity. The 2009 Bulk Power Protection Act, H.R. 2165, introduced by Rep. John Barrow, D-Ga., would require FERC to protect the bulk power system against cybersecurity threats and authorize the commission to issue orders for emergency protective measures in case of an imminent cybersecurity threat to the system.

An amendment to the 1935 Federal Power Act, H.R. 2195, introduced by Rep. Bennie Thompson, D-Miss., would extend FERC's jurisdiction beyond the bulk power system to include all transmission and distribution facilities, and also direct the commission to establish mandatory interim measures to protect against known cyber vulnerabilities or threats.

"To prevent a significant risk of disruption to the grid, legislation should allow the commission to take action before a cyber or physical national security incident has occurred," said Joseph McClelland, director of FERC's Office of Electric Reliability. He also said jurisdiction should include all transmission and local distribution facilities. "[FERC's] current authority is not adequate to address cyber or other national security threats to the reliability of our transmission and power system," McCelland said.

But representatives from the electric utility industry opposed more federal authority over security standards. "The threat issue is where we believe the focus is best served" by the federal government, said Gary Brown, chairman of the New York Public Service Commission. "A process established by Congress, that would say if there is an imminent threat, exactly what the process would be -- that's the most important part of any legislation."

John DiStasio, general manager and chief executive officer of the Sacramento Municipal Utility District, told the committee, that "the diversity of our systems leads us to not necessarily have a one-size-fits-all way to control [vulnerabilities]."

David Cook, NERC's vice president and general counsel, said Barrow's bill, H.R. 2165, would allow FERC to set standards for how electrical utilities respond to an attack, regulations that are acceptable to the industry. But the Thompson bill, H.R. 2195, he said would allow the federal commission to set standards for how utilities should address cybersecurity vulnerabilities and authorize FERC to "adopt rules or orders without notice or hearing." The industry opposes this authority.

NERC currently develops standards to keep electrical power operational through a public process that allows stakeholders to comment. Congress and FERC have criticized this process, saying it would not quickly respond to an urgent cyber or national security risks.

Rep. Fred Upton, R-Mich., warned against what he viewed as overregulation of the industry but also emphasized the need to address vulnerabilities before an attack occurs. "If we see a threat come in, that's presumably too late," he said. "That's why we need legislation."

The Committee on Energy and Commerce is considering H.R. 2165, and the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology is reviewing H.R. 2195.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.