State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
A Voice for Smart-Grid Security
Who will oversee the industry’s cyber standards?
All history aside, the utility security community now has a choice: Start to quickly make existing and future guidance easily consumable and designed for the beginning of the engineering process, or be seen as the dog that didn’t know what to do when it finally caught the truck. The opportunity is here now. No one can predict with certainty how long it will last. And in order to leverage it properly, the community needs a voice—preferably a single organization that can rightfully claim responsibility for securing the smart grid. Legislators, investors, and ratepayers all need a single entity that can say, “This is our job, and here is what we are doing.”
A most interesting portion of this story is unfolding at the federal level. Congressional hearings on smart-grid security are increasing in frequency. Legislation has been proposed. The White House has taken action. So who will answer for smart-grid security? The Federal Energy Regulatory Commission (FERC) might seem an obvious place to start looking for authority to secure the nation’s smart grid. After all, the Energy Policy Act of 2005 (EPAct) gave FERC authority over the reliability of the nation’s bulk electric system, and created the position of Electric Reliability Operator (ERO). The ERO was to be responsible for establishing and enforcing electric reliability standards.
FERC subsequently designated the North American Electric Reliability Corporation (NERC) as the nation’s ERO, and after significant dialog approved NERC’s Critical Infrastructure Protection standards (CIP). These standards dictate what utilities must do to protect cyber assets deemed critical to the reliability of the bulk electric system. So, why can’t the industry use these standards to secure the smart grid? Why isn’t NERC already the definitive authority in this space? The challenge of smart-grid security for both FERC and NERC is that their purview is explicitly delineated as matters involving interstate transmission, and at this point authority over security starts looking like a states’ rights issue. Both organizations were established to deal with issues that individual states weren’t positioned to resolve. And while globalization increasingly might influence individual daily lives and perceptions, it hasn’t changed the fact this country is still a federation of states. The nation’s laws and governmental structure are founded on a concept of states’ rights, which means individual states have jurisdiction over what utilities do inside their boundaries.
The issue of states’ rights, however, might not stop other federal entities from declaring their authority when it comes to national security. As commander-in-chief, the president has a responsibility to protect the country, and the National Infrastructure Protection Plan (NIPP) directs the Department of Homeland Security (DHS) and the Department of Energy (DOE) as the Sector Specific Agency (SSA) to protect critical infrastructure. The director of national intelligence (DNI) also has a role to play in this regard. Due to the country’s significant and growing dependence on electronic communications, the White House has designated cyber security as a national security issue. In truth, the same could be said for any number of economic components designated as critical infrastructure. How will this impact