The Federal Energy Regulatory Commission went back to Congress Tuesday urging lawmakers again to give it the authority to enforce cybersecurity standards meant to protect the nation’s electric grid.
“Despite its active role in approving reliability standards, FERC’s current legal authority is insufficient to assure direct, timely and mandatory action to protect the grid,” Joseph McClelland, director of the FERC Office of Electric Reliability, told the Senate Energy and Natural Resources Committee.
McClelland said his agency’s effectiveness in preventing cyber attacks on electric systems is limited by a slow, unpredictable process for developing rules and standards that grid operators can use to protect their systems from cyber malice. The problem, he said, is magnified as more utility operators install networked smart-grid technology. “This process is inadequate when measures or actions need to be taken to address threats to national security quickly, effectively and in a manner that protects against the disclosure of security-sensitive information,” he said in written testimony for the committee.
FERC derives part of its grid-protecting mandate from the Energy Independence and Security Act of 2007, which promotes the adoption of new technologies for the electric system. But the law does not provide the agency with authority to enforce the standards it approves. Only part of the electric system falls under FERC’s jurisdiction.
“Much of those technologies are implemented and deployed at the distribution level, which is more under the purview of the state regulatory commissions and others,” said Greg Wilshusen director of information security at the Government Accountability Office.
Not the first time
Lawmakers have attempted to increase FERC’s authority in the past. In 2008, Reps. Bennie Thompson (D-Miss.) and Jim Langevin (D-R.I.) promoted legislation that would have given the agency authority to require power plants to immediately fix cybersecurity holes. Lawmakers have pushed other bills to address the issue, but to no avail.
Once again, FERC asked senators to draft legislation that addresses FERC’s concerns.
“First, legislation should allow the federal government to take action before a cyber or physical national security incident has occurred,” McClelland said. In addition, Congress should avoid limiting additional authority to the bulk power system, which excludes certain critical facilities in major population areas.
But some regulators say the existing process works well as is and that the government’s role over electric utilities should remain limited.
“We think we’ve got an adequate handle,” said Todd Snitchler, chairman of the Public Utilities Commission of Ohio. “We have been able to work closely [with utilities] to make sure that they are operating in a way that gives us a level of comfort that they have sufficient security going forward.”
Sharing of threats poses challenges
Snitchler also said he worries about the feasibility of efforts to encourage utility companies to share information about threats to their systems with the federal government and other companies. The proposal is part of a number of legislative efforts to improve cybersecurity.
“Like other state commissions, it’s sometimes a challenge to have our utilities come in and disclose the weaknesses in their system,” he said. “And so the issue of confidentiality again rears its head even at the state level as we try to protect that information and prevent it from becoming part of the public domain.”
Some companies worry information about their vulnerabilities might be used against them if publicly disclosed. But one idea seeks to address the concern.
Companies’ vulnerability disclosures should be anonymous, allowing companies to share details without putting their names on the line, Wilshusen said.
This story is part of Federal News Radio’s daily Cybersecurity Update. For more cybersecurity news, click here.