As it relates to cyber security, the existing regulatory paradigm falls short and provides inadequate protection to the electric grid.
Elizabeth M. Brereton is an attorney resident in the Salt Lake City office of Snell & Wilmer. Her practice is concentrated in public utility regulation, energy, and environmental law. Prior to joining Snell & Wilmer, she was an enforcement case manager with the Western Electricity Coordinating Council.
Cyber attacks on the U.S. electric grid are increasing in number and sophistication. Cyber security experts warn that the consequences of a successful attack would be crippling. Public safety would be threatened as millions of households and businesses could be left without power and critical services.
Although Congress mandated reliability standards in 2005 to address cyber security for the "bulk power system," mainstream media coverage makes few references to existing federal oversight undertaken so far by the U.S. Federal Energy Regulatory Commission (FERC), the North American Electric Reliability Corporation (NERC) and NERC's eight regional entities (WECC, SERC, FRCC, NPCC, RF, MRO, SPP RE and TRE).
To be sure, doomsday predictions and an unresponsive government make for more interesting news segments than wading through the alphabet soup of the current regulatory regime. Beyond soundbites, however, actions of regulators and the electric industry itself seem to suggest that the existing regulatory paradigm falls short and provides inadequate protection to the electric grid.
Existing regulations are in a constant state of flux. Since becoming effective in 2008, FERC has considered five different versions of Critical Infrastructure Protection (CIP) standards and just issued CIP Version 6 for public comment. (See Notice of Proposed Rulemaking, FERC Docket RM-14-000, issued July 16, 2015, 152 FERC ¶61,054.)