WASHINGTON — Cybersecurity and resilience were the subject of numerous discussions at the National Association of Regulatory Utility Commissioners’ Winter Policy Summit this week, with NERC CEO Jim Robb previewing an upcoming report on GridEx V and a FERC official urging regulators to get security clearances.
Here’s the highlights of what we heard.
USAID Working on Cybersecurity in Eurasia
As the primary foreign assistance arm of the U.S. government, the Agency for International Development is known for “sacks of grain, digging wells [and] collective farms, and that is a lot of what we do,” said Steve Burns, chief of the agency’s energy and infrastructure bureau for Europe and Eurasia. “But we are also engaged in pretty advanced energy market structuring work and … critical infrastructure work.”
He cited USAID and NARUC’s work with Eastern European utilities on the development of cyber standards and tools for evaluating utility cyber preparedness.
“There’s probably a 12- to 18-month lag from when we introduce concepts until they’re taken on. We’ve been working with NARUC on this since late 2016, and we’re really starting to see the uptake now,” he said. “We’re actually seeing a lot of that come back to the United States. For instance, the regulatory cybersecurity strategy development guide that has been put out, some of the stuff that we’re working on now was actually done through the international partnership and then ported over … and there was more work done here to make it appropriate for a U.S. audience. We have seen several states actually start to develop strategies based on that. There’s a lot of that information sharing that goes back and forth.”
Michigan Public Service Commissioner Dan Scripps said he benefited from a three-day trip to Estonia and North Macedonia in October, where he met with regulatory agencies from 10 countries.
“In some ways, they’re ahead of us, and in some ways, we’re ahead of them [on cybersecurity],” he said. “There was a real opportunity for dialogue as opposed to, ‘Hey, we know all the answers.’ … This is very much a two-way street. The questions that were asked, the examples that they provided, all helped me as a Michigan regulator ensure that we’ve got the right protections.”
DOE Praises State Cyber Efforts
Assistant Energy Secretary Karen Evans, head of the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) praised states for stepping up their cybersecurity efforts. She noted the increased state participation in GridEx V and said 16 states considered about 50 legislative measures to address cybersecurity of the electric grid and other critical infrastructure in 2019. “This an increase of around 30% over the previous year,” she said.
She also discussed her office’s role in helping the Department of Homeland Security and states respond to manmade and natural disasters, including cyberattacks, electromagnetic pulses and geomagnetic disturbances (GMD) under Emergency Support Function (ESF) 12.
Each state and territory was required to identify an energy emergency assurance coordinator, some of whom are officials of state regulatory agencies, while others are part of state energy or emergency preparedness offices.
South Carolina Public Service Commissioner Swain E. Whitfield, who chaired the commission between 2016 and 2018, complained that state law limits the commission’s emergency role.
“The ESF12 function goes to the Office of Regulatory Staff, which by law has to be housed in a separate building from us,” he said. “When I was chairman and hurricanes were hitting South Carolina, I was getting calls from my fellow state chairmen all around the nation offering everything from 8,000 National Guard troops to water to all kinds of resources. It was really frustrating because I wanted to be right there in the forefront of helping. But we’re not allowed to be in the operations center because some of our utility heads are in there and they don’t want us interacting.”
But that doesn’t mean the commission isn’t important, he said, noting that regulators have to approve utility spending on capital investments and other preparedness measures. He also noted NARUC’s work on recovering from “black sky” events. “Those are certainly two areas where you as a regulator can … be involved even if you’re in a state like mine, where its clearly defined that you don’t have an ESF12 function,” he said.
FERC: State Regulators Need Security Clearances
Joe McClelland, director of FERC’s Office of Energy Infrastructure Security, told regulators their commissions should obtain security clearances for at least one commissioner and one subject matter expert so they understand cyber threats and are capable of responding to them.
McClelland said he tells utilities the same thing. “My personal opinion is there should be at least two people that have those clearances. One would be the subject matter expert; it could be anybody. The second person is the CEO. Why both? Because if they’re both in a secure facility and the subject matter expert is saying, ‘We’re just getting murdered here. We’ve got adversaries that are able to do x, y and z because of a vulnerability that we have,’ the CEO, if they’ve got the trust of the board of directors, can say, ‘Let’s fix it.’”
He noted that in 2017, the Defense Department’s Defense Science Board Task Force on Cyber Deterrence issued a report that recommended increased information sharing with regulators considering cost recovery requests for resilience investments.
“We’re not going to force you to do it,” he told the regulators. “But if you work with us, our office will make sure you have access to that intel and you have an understanding of what those threats are, [that] you understand what our position is, what the consensus of the security community is. We bring them into that conversation too and identify fixes for those vulnerabilities.”
Prudent Resilience Spending vs. Gold Plating
Scott Aaronson, vice president of security and preparedness for the Edison Electric Institute, said industry needs to find a way to quantify the value of resilience investments to win the support of consumer advocates suspicious of excessive spending on “gold plating.”
“Instead of being in this defensive, ‘Hey just let us spend this money’ [posture], it is incumbent upon the companies and our federal partners … to make the case to consumer advocates that … [these are] not just prudent investments, but actually can ultimately have better outcomes for customers.”
Aaronson cited the example of Florida Power and Light, which spent $3 billion in 2005-15 on storm-hardening measures, including replacing poles with stronger wood or concrete ones, installing flood monitors and improving maintenance through more aggressive vegetation management and increased inspections.
The utility won regulatory approval for the spending after Hurricane Rita knocked out power to 4.8 million people for up to 13 days in 2005. About 4.6 million people lost power during Hurricane Irma in 2017, but all were restored within five days, Aaronson said.
“That eight-day delta — if you just used the $1 billion of GDP for the state of Florida per day — saved $8 billion. They spent $3 [billion]; they saved $8 [billion].
“There’s a great case for resilience investment. The problem with resilience investments is you’re proving a negative. So, until a bad thing happens, you can’t prove that resilience investments had economic benefits. I can do it anecdotally. We really need to work together to find a way to do it quantitatively.”
The Critical Consumer Issues Forum, which includes state regulators, consumer advocates and industry, began an initiative on the resilience issue at NARUC’s annual meeting last November in San Antonio, Texas. It is continuing its work this year with summits in Tampa, Fla. (Feb. 27-28), Denver (March 25-26) and Arlington, Va. (April 30-May 1).
GridEx V Report Previewed
NERC CEO Jim Robb provided regulators with a preview of the after-action report that NERC plans to release next month on last November’s GridEx V. (See GridEx V Throws New Tech Curveball.)
He praised NARUC, the National Governor’s Association and the National Association of State Energy Officials for promoting the event to their members, saying 25 state governments took part, six more than in GridEx IV in 2017. “As we start planning the next installment … we’d like to see those numbers go even higher,” Robb said.
State participants included regulatory commissions, emergency managers, the National Guard, intelligence “fusion centers,” law enforcement and state energy offices.
NERC used a different approach for the tabletop portion of the drill last year.
“Rather than signaling another national or continental crisis, we really focused in on a regional attack. Much to John McAvoy’s — the CEO of Con Ed’s — dismay, we chose New York City, New York state and southern Ontario as the focus of that attack,” Robb explained.
“We felt by limiting it to a regional attack and then really focusing in on the operational issues as opposed to the policy issues that would be required to restore a system, we thought it would be much richer and [produce] more operational lessons learned than previous exercises.”
Robb said the drill provided good lessons on the role of natural gas, which he noted has become “the key fuel for keeping the lights on” in some regions and is “also very key to how you restore the system in a black start scenario.”
“This is an area where state commissions also need to play a role, particularly on the intrastate pipelines and the [local distribution companies] that you all have jurisdiction over. When it comes to the question of prioritizing restoration of electric service, the hard questions around where to send the next molecule of gas is one that at some point you all may have to deal with. And it would be good to practice those decisions and [uncover] the underlying issues in advance of an actual emergency. That will be one of the things we’ll really test in a big way in GridEx VI.”
– Rich Heidorn Jr.