Debate heats up over cybersecurity regulations for electric utilities

Some House members want to set standards for how power plants respond to security vulnerabilities while the industry says that oversteps the government's role.

Representatives from the electrical industry sharply criticized on Tuesday a proposal in the House to extend federal regulation to include local power plants in major cities to protect them and the national power grid from cyberattacks.

Under the 1935 Federal Power Act, the Federal Energy Regulatory Commission enforces security standards for most of the nation's power plants, including facilities and control networks -- known as bulk power systems -- that connect power systems. But the commission does not have regulatory jurisdiction over electrical systems outside the continental United States and to local distribution facilities, which include some in large cities such as New York and Washington. These systems are connected to the bulk power system through computer networks.

"How can we possibly limit the authority to the bulk power system only when [computer networks] are all interconnected?" asked Rep. Edward Markey, D-Mass., during a hearing before the House Subcommittee on Energy and the Environment, which he chairs.

The North American Electric Reliability Corp. (NERC), a self-regulatory organization run by the industry, develops the security standards for individual power plants, which includes the local distribution facilities.

Lack of federal authority to enforce standards industrywide opens the system to cyberattacks, Markey argues, because an attacker could target an individual power plant, which could cause outages across broader regions of the electric grid. "We have to close that regulatory black hole" between the federal authority and NERC's jurisdiction, Markey said.

The House introduced two bills this year that would amend the Federal Power Act to address cybersecurity. The 2009 Bulk Power Protection Act, H.R. 2165, introduced by Rep. John Barrow, D-Ga., would require FERC to protect the bulk power system against cybersecurity threats and authorize the commission to issue orders for emergency protective measures in case of an imminent cybersecurity threat to the system.

An amendment to the 1935 Federal Power Act, H.R. 2195, introduced by Rep. Bennie Thompson, D-Miss., would extend FERC's jurisdiction beyond the bulk power system to include all transmission and distribution facilities, and also direct the commission to establish mandatory interim measures to protect against known cyber vulnerabilities or threats.

"To prevent a significant risk of disruption to the grid, legislation should allow the commission to take action before a cyber or physical national security incident has occurred," said Joseph McClelland, director of FERC's Office of Electric Reliability. He also said jurisdiction should include all transmission and local distribution facilities. "[FERC's] current authority is not adequate to address cyber or other national security threats to the reliability of our transmission and power system," McCelland said.

But representatives from the electric utility industry opposed more federal authority over security standards. "The threat issue is where we believe the focus is best served" by the federal government, said Gary Brown, chairman of the New York Public Service Commission. "A process established by Congress, that would say if there is an imminent threat, exactly what the process would be -- that's the most important part of any legislation."

John DiStasio, general manager and chief executive officer of the Sacramento Municipal Utility District, told the committee, that "the diversity of our systems leads us to not necessarily have a one-size-fits-all way to control [vulnerabilities]."

David Cook, NERC's vice president and general counsel, said Barrow's bill, H.R. 2165, would allow FERC to set standards for how electrical utilities respond to an attack, regulations that are acceptable to the industry. But the Thompson bill, H.R. 2195, he said would allow the federal commission to set standards for how utilities should address cybersecurity vulnerabilities and authorize FERC to "adopt rules or orders without notice or hearing." The industry opposes this authority.

NERC currently develops standards to keep electrical power operational through a public process that allows stakeholders to comment. Congress and FERC have criticized this process, saying it would not quickly respond to an urgent cyber or national security risks.

Rep. Fred Upton, R-Mich., warned against what he viewed as overregulation of the industry but also emphasized the need to address vulnerabilities before an attack occurs. "If we see a threat come in, that's presumably too late," he said. "That's why we need legislation."

The Committee on Energy and Commerce is considering H.R. 2165, and the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology is reviewing H.R. 2195.