As it relates to cyber security, the existing regulatory paradigm falls short and provides inadequate protection to the electric grid.
Elizabeth M. Brereton is an attorney resident in the Salt Lake City office of Snell & Wilmer. Her practice is concentrated in public utility regulation, energy, and environmental law. Prior to joining Snell & Wilmer, she was an enforcement case manager with the Western Electricity Coordinating Council.
Cyber attacks on the U.S. electric grid are increasing in number and sophistication. Cyber security experts warn that the consequences of a successful attack would be crippling. Public safety would be threatened as millions of households and businesses could be left without power and critical services.
Although Congress mandated reliability standards in 2005 to address cyber security for the "bulk power system," mainstream media coverage makes few references to existing federal oversight undertaken so far by the U.S. Federal Energy Regulatory Commission (FERC), the North American Electric Reliability Corporation (NERC) and NERC's eight regional entities (WECC, SERC, FRCC, NPCC, RF, MRO, SPP RE and TRE).
To be sure, doomsday predictions and an unresponsive government make for more interesting news segments than wading through the alphabet soup of the current regulatory regime. Beyond soundbites, however, actions of regulators and the electric industry itself seem to suggest that the existing regulatory paradigm falls short and provides inadequate protection to the electric grid.
Existing regulations are in a constant state of flux. Since becoming effective in 2008, FERC has considered five different versions of Critical Infrastructure Protection (CIP) standards and just issued CIP Version 6 for public comment. (See Notice of Proposed Rulemaking, FERC Docket RM-14-000, issued July 16, 2015, 152 FERC ¶61,054.)
And each legislative session seems to bring with it new proposals to address the cyber security threats to the electric grid. Further, a slew of federal agencies and industry groups have issued all manner of executive orders, policy directives, and guidance governing cyber security of the electric grid. Yet within the industry itself, serious concerns persist as to whether the CIP standards have amounted to anything more than just costly paper drills.
All regulatory regimes are plagued by delay, uncertainty and inefficacy. But cyber security for the bulk power system is further complicated by the nature of the threat. It is not simply a matter of managing the negative externalities of an industrial process to guard against a foreseeable risk to public safety. Rather, standards governing bulk power cyber security must also anticipate attacks that often confound our present tools of prediction. Standards also must remain flexible enough to accommodate a diverse network of systems and devices deployed across thousands of miles of infrastructure shared and owned by a diverse collection of public and private enterprises.
Given the dynamic nature of cyber threats, we should ask ourselves whether mandatory reliability standards drafted by NERC and approved by FERC can get past the uncertainty created by cumbersome procedures and regulatory delays to provide an effective means of addressing the cyber security threat to the bulk power system.
In what follows, let's examine some of the regulatory gaps and risks presented by our current system of NERC and FERC oversight.
Securing the Weakest Link
The electric grid is a web comprised of infrastructure, devices and operating systems that are designed to interact seamlessly with one another. Current NERC Reliability Standards governing cyber security (CIP Standards) are limited to a subset of devices identified as Critical Cyber Assets.
Nevertheless, there exists is no overarching or comprehensive list of Critical Assets or associated Critical Cyber Assets. Rather, CIP Standards require covered entities one by one to self-identify their own Critical Assets and Critical Cyber Assets, based on a two-step process. First, entities must create a risk-based assessment methodology that is then used to determine whether a "brick and mortar" facility qualifies as a Critical Asset. Second, having identified all Critical Assets, entities then are required to identify Critical Cyber Assets "essential" to the operation of those Critical Assets.
When CIP standards were first implemented a handful of entities construed the flexibility built into them as license to evade their terms altogether. One such entity, controlling a number of critical 500-kV substations, claimed that its risk assessment could not identify a single Critical Cyber Asset that required protection under NERC Reliability Standards.
Most entities, however, did undertake the herculean effort of developing a risk-based assessment, cataloging their bulk electric system assets and inventorying associated systems. Still, it was evident that significant gaps were presented by a risk-based identification system.
Typically, risk-based evaluations only considered those higher-voltage facilities operating at 230 kV and above as a risk to the bulk power system. Moreover, because those assessments were created by each entity, "risk" was assessed based on the limited operational information available to that single entity. As a consequence, the broader system-wide risks posed by lower-voltage systems operating at 115 kV largely fell outside the scope of current CIP standard enforcement.
The consequences of overlooking risks and the grid's dependence on low-voltage facilities were illustrated on September 8, 2011. A technician's error in a single substation triggered a series of events that led to a cascading power outage stretching from Arizona to the Pacific Southwest and Mexico. As protection systems on high-voltage systems failed, load shifted to lower-voltage systems that were not maintained to act in concert with the broader system and isolate the outage. The blackout widened and left millions without power for up to 12 hours before the system was finally restored.
In the aftermath of the blackout, a report prepared by FERC and NERC staff identified a number of system-wide operational and regulatory failures. Among them was a widespread failure on the part of system planners, operators and owners to consider operational risks posed by grid facilities operating below 115 kV. Further, FERC staff noted that the lack of coordination between entities to identify and coordinate operations between high-voltage systems and low-voltage systems affected bulk electric system reliability. Although the blackout was not triggered by a cyber attack, the incident demonstrated that low-voltage assets typically excluded from the scope of CIP Standards pose a risk to the reliability of BPS if ignored.
New standard revisions set to go into effect next year - CIP Version 5 - address some of the risk posed by lower-voltage facilities.
(Ed. Note that CIP Version 5 also ushered in a new set of terms and definitions. In place of "critical asset" (CA) and "critical cyber asset" (CCA), as noted earlier in this article, Version 5 speaks of the "Bulk Electric System," "BES Assets," and "BES Cyber Assets." To use NERC's words, Version 5 now identifies key cyber resources not so much as a pieces of equipment, but as part of an integrated system:
"Instead of identifying crucial assets as in previous versions ... the new standard identifies BES Cyber Systems as a grouping ... because it allows entities to apply some requirements at a system level rather than an individual asset level ....
"This change results from the drafting team's review of the NIST Risk Management Framework and the use of [the] analogous term 'information system' as the target for categorizing and applying security controls.")
Under CIP Version 5, "Low-Impact Bulk Electric System Cyber Systems" associated with lower-voltage facilities will be afforded broad protection. Standards will require regulated entities to develop policies that address Low-Impact-System risks. Although intended to provide flexibility, such programmatic requirements are often ineffective, where the mere existence of a program or policy satisfies some regulators versus an active engagement with the enforcement of that program. Most violations stemming from programmatic standards are triggered by a manager's failure to review or update the program annually, rather than from the inherent framework of the program. The majority of protections prescribed for High- and Medium-Impact bulk electric systems Cyber Systems are not extended to Low-Impact Systems.
Proposed revisions contained in CIP Version 6 contain more specific requirements that require entities to manage physical and logical access to low-impact devices. The effectiveness of securing Low-Impact Systems is unclear. It is almost certain, however, that the costs of creating and implementing cyber security policies and programs to Low-Impact Systems will be significant. Moreover, given the "flexibility" afforded to Low-Impact System protections, there will be a steep learning curve on the part of regulated entities as to what constitutes an adequate protection program or policy for Low-Impact Systems.
Delay and Uncertainty
Contrary to what you might think, the Federal Power Act does not authorize FERC to draft cyber security standards. Rather, under the Act, FERC may approve cyber security standards only after they are drafted first by NERC. Standards development thus becomes a tiered process that first seeks consensus through NERC's membership and the electric industry before draft standards are submitted to FERC for its review, public notice, and comment.
The consequences of limiting FERC's drafting authority through a bifurcated process that depends on NERC are two-fold. First, effective CIP Standards are not responsive in addressing immediate cyber security risks. Second, this structure creates a great deal of uncertainty for regulated entities.
There are significant delays between the time FERC identifies an issue and the time NERC can propose standard language to address the issue. FERC initially identified gaps in protections afforded to Critical Cyber Assets as early as 2008. Now, over seven years and six standard versions later, FERC is still waiting for NERC to propose standard revisions that address all vulnerabilities originally identified in 2008.
The NERC Standard drafting and approval process is cumbersome. NERC Reliability Standards are developed through a consensus process. Standards are submitted to FERC staff for formal rulemaking only after being vetted through NERC's committees, membership and Board. The process often results in a convoluted game of telephone, wherein FERC issues an order directing NERC to draft a standard or implement a fix, and NERC going back to its membership "interpreting" the meaning behind the order and drafting language that can achieve consensus within the industry before it submits proposed revisions to FERC (for the second, third or fifth time).
This process creates a great deal of uncertainty among regulated entities. Effective standards may include language that has already been deemed unenforceable by FERC. Further, unable to immediately issue revised standards responding to a FERC directive, NERC and regional staff often are forced to issue official and unofficial guidance to clarify effective standards. This guidance is not technically mandatory and can be retired, revised or disregarded. Sorting through effective and proposed guidance and standards creates a great deal of uncertainty as to what entities must actually do to meet their compliance burdens under the standards.
Delays and uncertainties that are commonplace in regulatory rulemaking processes carry extraordinary costs to entities in the context of cyber security. CIP Standard requirements impose tremendous administrative and logistical burdens on regulated entities. Large utilities must implement logical and physical mechanisms to secure thousands of devices spread across hundreds or thousands of miles of infrastructure. Delays and uncertainties carry significant costs in terms of planning and deployment required to implement cyber security protections.
The Enforcement Dilemma
Enforcement of CIP Standards presents a number of challenges. Penalties for violations can be significant. Many CIP Standards include circular references. For example, a single act of noncompliance resulting in one violation can automatically trigger violations of four related, but separate, requirements with separate penalties. Some standard requirements are simply inapplicable to particular networks, system designs or devices. Further, CIP Standards are in a constant state of revision. Forward-looking entities, however, risk being found noncompliant if they begin to implement operational changes to accommodate anticipated revisions. Moreover, as drafted, many CIP Standards are ambiguous, with interpretation depending on the region responsible for enforcement.
Returning to Section 215 of the Federal Power Act, one sees that violations of NERC Reliability Standards can carry a penalty as high as $1,000,000 per day, per violation. In practice the upper limits of this penalty authority have never been approached. Yet this ceiling suggests that Congress intended the electric industry to take bulk power system reliability and bulk electric system cyber security seriously.
Beginning in 2012, NERC and regional entities started to adopt alternative enforcement strategies to avoid mandatory penalties and make the enforcement process "more efficient."
In 2013, NERC proposed a targeted, alternative enforcement strategy with respect to 17 requirements in CIP Version 5 that required entities to "identify, assess, and correct deficiencies." Many construed this language as creating a loophole to mandatory compliance, whereby entities were no longer required to "self-report" noncompliance or possible violations. Although NERC agreed to eliminate this language in CIP Version 6 standard revisions, this approach further signaled NERC's intention to limit the number of enforcement actions instead of tackling inherent problems with the CIP Standards themselves.
In 2013, NERC also implemented a process called "Find, Fix, Track" (FFT) to address minor violations posing a minimal risk. Under this process violations are termed "issues" that must be mitigated but that do not carry monetary penalties. The FFT process has created a number of efficiencies within the regional enforcement process. Time required to mitigate potential issues has significantly decreased. Open cases at regional entities also have decreased dramatically. Without the threat of penalties, entities are less likely to contest regional determinations or quickly implement mitigation. Since 2013, however, FERC approved expanding FFT treatment to moderate risk violations. Consequently, most "violations" or "issues" are shuttled through the FFT process and carry no penalties.
The biggest paradigm shift in enforcement of NERC Reliability Standards, however, is NERC's shift to "risk-based compliance monitoring." Instead of requiring certification and audits of compliance with a broad number of mandatory reliability standards, risk-based compliance monitoring requires regional compliance staff to focus on a limited number of targeted standards. Standards requirements that will be audited and monitored will vary, depending on the entity. In this way, auditing standards will be selected based on system-wide risks posed by individual entities based on their size, function, internal controls, and compliance profile.
While well-meant to avoid unreasonable financial repercussions, alternative enforcement tools are now increasing insecurity. They are being used increasingly to sidestep enforcement of problematic standards and the pitfalls of a cumbersome standard development process. That isn't to say that mandatory penalties for all violations are warranted. Still, NERC's move to selective compliance monitoring raises a number of questions.
Is it reasonable to expect regulated entities to implement, maintain and track costly compliance programs for hundreds of standard requirements that do not rise to the level of monitoring or enforcement?
Imagining the Future
The current regulatory regime governed by NERC Reliability Standards falls short of securing the bulk power system from a cyber attack.
To be fair, however, no individual regulatory program overseen by a single agency can hope to address bulk power system cyber security. Yet the current CIP Standards mandated by NERC and guided by FERC not only create significant regulatory risks, but are also costly to implement. Moreover, there are significant regulatory gaps that pose a serious threat to the reliability of the bulk power system, and those gaps are getting larger.
The concept of reliability standards may be the most effective tool used to establish basic bulk power system protections including physical security of critical facilities and associated systems. But more dynamic tools are needed to address evolving cyber threats. Information sharing among entities and strengthening of the Electricity Information Sharing and Analysis Center (E-ISAC) are two tools that can be used to coordinate and identify immediate threats.
Proposed legislation that would fund cyber security applications and technology development for grid security would go a long way in establishing a coordinated defense to cyber attacks on the electric grid. Ultimately, however, the solution to securing the electric grid is not a four-letter word.
Lead image © Can Stock Photo Inc. / alexmillos