Why the D.C. Circuit should rehear the appeal of FERC Order 745, and how it should rule.
Setting the Standard
NERC’s new cyber security rules may minimize cost of compliance, but they leave utilities guessing on how to identify risks.
(Emerging Threats, Cybersecurity, Science and Technology; plus Transportation Security and Infrastructure Protection) to file formal written comments with FERC demanding a rethinking. The congressmen fault the idea that cyber security rules should focus only on risks that threaten a complete breakdown of a regional grid.
At the October hearing, star witness Joseph M. Weiss, managing partner for Applied Control Solutions, claimed Congress and FERC created a potential “conflict of interest” by relegating electric system cyber security to a group (NERC) still funded by the industry. As a member of NERC’s drafting team for the cyber standards, and as a professional engineer and certified information security manager (CISM), Weiss echoed Liam Baker’s analysis at US Gen:
“It so happens,” said Weiss in his testimony, “that many of the largest electric utilities have determined in their risk assessments that they have no—zero—critical generation assets … nuclear included … [because] their systems have been designed to withstand ‘N-1’ contingencies.”
That ignores the threat of simultaneous multiple contingencies, Weiss said. “What if a Trojan Horse planted in numerous generation control systems should awaken at the appointed hour,” he asked, “and simultaneously trip a whole collection of plants in a region? “Very possible scenarios such as this are being discounted out of hand by people in positions of authority who really do not understand cyber security.”
Taking a cue from Weiss, the House committee called for standards that would safeguard national defense and infrastructure, plus the welfare of citizens and communities.
“Every critical infrastructure in the country,” the committee reasoned, “is dependent upon the bulk power system: chemical plants, banks, refineries, hospitals, water systems, and military installations.”
Yet Congress well understands that economic and societal considerations fall outside the scope of authority that it granted to FERC and NERC (as the nation’s designated ERO — Electric Reliability Organization), in EPAct Sec. 1211 (which amended Federal Power Act sec. 215). The issue received a thorough airing out last year, in the run-up to FERC’s Order 693 (March 2007), approving the first of NERC’s proposed mandatory reliability standards. At that time the American Public Power Association accused FERC of focusing too much on how “newsworthy” a blackout might be, especially if it took out electric service in New York City or Washington, D.C. (See, Commission Watch, “ The Rush to Reliability ,” Feb. 2007.)
The NERC standards define the term “critical cyber assets” to include only those programmable electronic devices and communication networks essential to the reliable operation of other facilities, known as “critical assets,” which if destroyed, degraded or forced off line, would affect reliability or operations for bulk power system. Critical cyber assets also must feature connectivity through an Internet Protocol routing, or else dial-up Internet accessibility, as explained in NERC’s proposal and in FERC’s initial evaluation in its recently issued notice of proposed rulemaking (NOPR). (See, Docket RM06-22, 120 FERC ¶61,077, July 20, 2007 (NOPR Decision). See also FERC Docket No. RM06-16, filed Aug. 28, 2006 (NERC Proposal).)
Concerned over NERC’s narrow view, the House committee proposed instead that the electric industry should adopt cyber security