If “perfect” be the enemy of the “good,” then look no further for proof than in Federal Power Act section 217(b)(4), enacted by Congress in EPACT 2005.
Setting the Standard
NERC’s new cyber security rules may minimize cost of compliance, but they leave utilities guessing on how to identify risks.
Liam Baker, vice president for regulatory affairs at US Power Generating, questions whether his company’s power plants and control systems in New York and Massachusetts must comply with the electric industry’s new mandatory standards for cyber security.
Baker voiced his doubts in written comments he filed in October with the Federal Energy Regulatory Commission (FERC). It all starts with ISO New England (ISO-NE), which runs the market dispatch for the power plants that US Gen owns through its indirect subsidiary, Boston Generating, LLC.
“ISO-NE’s dispatch philosophy,” Baker explains, “is the system can always withstand the sudden loss of the largest generator in the region.” And New England’s capacity market,” he adds, with its built-in reserve margin, “further ensures that, even on the hottest peak-load days, there is sufficient operable capacity to securely cover load with multiple large generators out of service.”
Thus, Baker questions how any single power plant, grid facility or related computer control system can qualify as absolutely “critical,” a finding required for cyber standards to apply. Baker concedes that some facilities remain essential, such as special black-start units, or other “must-run” plants that supply reactive power or some other unique local reliability need. Beyond that, however, he suggests Boston Gen or virtually any other generator in New England “could logically assume” none of its individual plants are “critical” to the bulk electric system.
“Without additional guidance,” he adds, there is no way of knowing if this is an appropriate assumption.” (See, Comments of US Power Generating Co., pp. 3-5, FERC Docket No. RM06-22, filed Oct. 9, 2007.)
Baker has pinpointed the “N-1” theory that underpins the electric reliability standards created and enforced by the North American Electric Reliability Corp. (NERC). By building in multiple levels of redundancy to guard against all adverse first-level contingencies, the industry in effect ignores the likelihood of any single failure. The remedy lies not in preventing breakdowns, but in designing the regional bulk-power grid so the system will survive them. In effect, no asset is ever allowed to become “critical” in the first place.
By contrast, however, the new cyber standards require proof of criticality—that a given failure could wreak havoc. That brings enforcement into the realm of probability theory, where the risk analysis may turn on a roll of the dice.
Doubts in Congress
On Capitol Hill, the House Committee on Homeland Security, led by chairman Bennie Thompson (D, Miss.), asserts that NERC’s decision to make cyber security contingent on the criticality of physical and cyber assets, represents “a conceptual mistake.”
Thompson’s House committee held a hearing in mid-October to hear testimony from computer security experts after news had leaked that government engineers staged an experimental cyber attack that succeeded in taking over computer control systems for a power plant located at the DOE’s Idaho National Laboratory. (See, “ Aurora Attack ”)
Moreover, Thompson joined with two other House Subcommittees