Union Leader Says Utilities Not Incentivized to Report Cyber Incidents or Implement Protections

Gena Melendrez/Shutterstock.com

FERC’s recently “expanded” reporting requirements leave it up to entities to decide on qualifying events.

The new leader of the Utility Workers Union of America is calling attention to a lack of public accountability for utilities’ cybersecurity practices due to a relaxed regulatory environment. 

Unlike gas leaks which are flagged by odors or can cause explosions that would cause the public to push the private sector entities to address failures, cybersecurity threats can fly under the radar, said Jim Slevin, who was elected president of the union in July. 

Slevin, who represents about 45,000 public and private-sector workers across the country, told Nextgov this means there must be stricter requirements for utilities to report cybersecurity incidents.

In June, the Federal Energy Regulatory Commission hailed its adoption of a new order that it said strengthens cybersecurity standards for the bulk electric system because it requires entities to report attempted compromises and compromised systems to the commission. But the commission leaves it up to the responsible entity to develop its own criteria for identifying an attempt to compromise a cyber system.  

Six months later, Slevin says entities are “all over the page” and notes that, generally, the flexible risk management approach embraced by regulators means the utilities are always going to choose profits over investments in cybersecurity.

“Even though they're a public service, they're driven by profit,” he said. “Just look at what they do with their own infrastructure where they sell the commodity of gas, electric and steam and they let those go down. They're less likely to care about something like cyber which is something that somebody doesn't see outside their house or on their roadway. Unless they get some kind of regulation around them that puts them under one spectrum reporting-wise, I don't think you're going to get it done.”

Lawmakers such as Rep. Jim Langevin, D-R.I., have noted FERC’s limited authorities, as it acts in tandem with the North American Electric Reliability Corporation—an industry group—that “self-regulates” the sector. 

In a 5-year review FERC released Thursday on NERC’s performance assessment of itself, FERC does call attention to NERC’s “ increased reliance on guidelines”—without robust participation from stakeholders—and a lack of metrics for determining what kind of information should be reported through the Electricity Information Sharing and Analysis Center. 

In its assessment, NERC said much of the information collected through E-ISAC couldn’t be used to inform reliability standards across the Electric Reliability Organization because of the sharing group’s “code of conduct.” 

FERC directed NERC to report within 90 days a series of information, including “the scope and basis used for developing” metrics and how the metrics assist NERC in its oversight responsibility of the E-ISAC.

In addition to incident reporting, Slevin noted shortcomings observed across the sector related to a lack of background checks for workers brought in to handle emergency situations, foreign ownership of utilities that might give adversaries access to sensitive schematics, and a lack of resilience testing to ensure utilities can still operate manually if the worst were to happen.