recommended reading

Debate heats up over cybersecurity regulations for electric utilities

Representatives from the electrical industry sharply criticized on Tuesday a proposal in the House to extend federal regulation to include local power plants in major cities to protect them and the national power grid from cyberattacks.

Under the 1935 Federal Power Act, the Federal Energy Regulatory Commission enforces security standards for most of the nation's power plants, including facilities and control networks -- known as bulk power systems -- that connect power systems. But the commission does not have regulatory jurisdiction over electrical systems outside the continental United States and to local distribution facilities, which include some in large cities such as New York and Washington. These systems are connected to the bulk power system through computer networks.

"How can we possibly limit the authority to the bulk power system only when [computer networks] are all interconnected?" asked Rep. Edward Markey, D-Mass., during a hearing before the House Subcommittee on Energy and the Environment, which he chairs.

The North American Electric Reliability Corp. (NERC), a self-regulatory organization run by the industry, develops the security standards for individual power plants, which includes the local distribution facilities.

Lack of federal authority to enforce standards industrywide opens the system to cyberattacks, Markey argues, because an attacker could target an individual power plant, which could cause outages across broader regions of the electric grid. "We have to close that regulatory black hole" between the federal authority and NERC's jurisdiction, Markey said.

The House introduced two bills this year that would amend the Federal Power Act to address cybersecurity. The 2009 Bulk Power Protection Act, H.R. 2165, introduced by Rep. John Barrow, D-Ga., would require FERC to protect the bulk power system against cybersecurity threats and authorize the commission to issue orders for emergency protective measures in case of an imminent cybersecurity threat to the system.

An amendment to the 1935 Federal Power Act, H.R. 2195, introduced by Rep. Bennie Thompson, D-Miss., would extend FERC's jurisdiction beyond the bulk power system to include all transmission and distribution facilities, and also direct the commission to establish mandatory interim measures to protect against known cyber vulnerabilities or threats.

"To prevent a significant risk of disruption to the grid, legislation should allow the commission to take action before a cyber or physical national security incident has occurred," said Joseph McClelland, director of FERC's Office of Electric Reliability. He also said jurisdiction should include all transmission and local distribution facilities. "[FERC's] current authority is not adequate to address cyber or other national security threats to the reliability of our transmission and power system," McCelland said.

But representatives from the electric utility industry opposed more federal authority over security standards. "The threat issue is where we believe the focus is best served" by the federal government, said Gary Brown, chairman of the New York Public Service Commission. "A process established by Congress, that would say if there is an imminent threat, exactly what the process would be -- that's the most important part of any legislation."

John DiStasio, general manager and chief executive officer of the Sacramento Municipal Utility District, told the committee, that "the diversity of our systems leads us to not necessarily have a one-size-fits-all way to control [vulnerabilities]."

David Cook, NERC's vice president and general counsel, said Barrow's bill, H.R. 2165, would allow FERC to set standards for how electrical utilities respond to an attack, regulations that are acceptable to the industry. But the Thompson bill, H.R. 2195, he said would allow the federal commission to set standards for how utilities should address cybersecurity vulnerabilities and authorize FERC to "adopt rules or orders without notice or hearing." The industry opposes this authority.

NERC currently develops standards to keep electrical power operational through a public process that allows stakeholders to comment. Congress and FERC have criticized this process, saying it would not quickly respond to an urgent cyber or national security risks.

Rep. Fred Upton, R-Mich., warned against what he viewed as overregulation of the industry but also emphasized the need to address vulnerabilities before an attack occurs. "If we see a threat come in, that's presumably too late," he said. "That's why we need legislation."

The Committee on Energy and Commerce is considering H.R. 2165, and the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology is reviewing H.R. 2195.

Threatwatch Alert

Stolen credentials

Hackers Steal $31M from Russian Central Bank

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.