Washington (Platts)--5May2011/504 pm EDT/2104 GMT
A draft US Senate committee bill that would give the US Federal Energy Regulatory Commission limited cybersecurity oversight of state-jurisdictional electric distribution lines was met with concerns Thursday at a Senate Energy and Natural Resources Committee hearing. The head of North American Electric Reliability Corp., the entity responsible for establishing grid reliability standards for the bulk electric system in the contiguous 48 US states, but not local distribution facilities, argued that FERC should not be given that additional oversight unless NERC is also granted the same authority to set standards for cybersecurity issues affecting distribution lines. FERC is responsible for overseeing NERC activities, approving or rejecting proposed NERC reliability standards as well as any penalty amounts assigned to entities that violate the standards. NERC and FERC's oversight of reliability on the grid does not include certain lines that go into major cities, distribution lines or the grid systems in Alaska and Hawaii. States have jurisdiction over distribution lines. But the Senate draft bill would authorize FERC to set an interim rules directing owners and operators of distribution facilities to address cybersecurity vulnerabilities that would otherwise leave them open to a direct attack. Unless NERC is granted matching jurisdiction, the law would essentially allow FERC to determine cybersecurity reliability measures for facilities over which NERC has no oversight or standard-setting ability, NERC President and CEO Gerry Cauley said. The draft legislation would give FERC the ability to direct NERC to develop and propose a standard or revise an existing standard to adequately protect critical electric infrastructure from cybersecurity vulnerabilities. If NERC fails to put a standard together within a certain period, FERC would be able to issue an interim rule that provides adequate protection of critical electric infrastructure. That rule would terminate when FERC determines the vulnerability has been addressed or when NERC proposes an acceptable standard to eliminate such a concern. Joseph McClelland, FERC's director of the Office of Electric Reliability, said the discussion draft "would allow the commission to address a sophisticated and targeted [cybersecurity] attack or event aside from the standards development process" of NERC. The process that was established under the Energy Policy Act of 2005 is too slow and unpredictable to address imminent cybersecurity concerns, McClelland said. There also may be limited circumstances where an industry-wide standard may not be appropriate, McClelland explained. If the Department of Homeland Security or Central Intelligence Agency uncovers a vulnerability at a particularly critical electricity facility that could be exploited, that facility may "need to go to a heightened state of readiness," McClelland said. He said that the legislation would properly give the commission the ability to direct an entity to act in such a case. "The commission should be able to require mitigation even before or while NERC and its stakeholders develop a standard, when circumstances require urgent action," McClelland said. Cauley argued his organization also needs to be given additional authority. Although NERC can put out alerts to the industry when it hears about threats or vulnerabilities, those notices do not come with "the ability to make enforceable directives," Cauley said. He also argued that FERC's authority should not be extended to the distribution level unless NERC's standards are also extended to include such facilities. "The jurisdiction should be consistent between us," Cauley said. --Esther Whieldon, esther_whieldon@platts.com