WASHINGTON — A panel headed by former CIA and NSA chief Michael Hayden today recommended an expansion of the electric industry’s cybersecurity efforts, saying the current efforts by FERC and NERC fail to protect the distribution system.

The Bipartisan Policy Center panel recommended creation of an industry-led body, modeled on the Institute of Nuclear Power Operations (INPO), to expand adoption of cybersecurity risk-management practices and complement the North American Electric Reliability Corp.’s mandatory standards on the Bulk Electric System.

“In some ways, the electric sector is in a stronger position than other sectors to address cyber threats because it already has extensive policies in place — including mandatory federal standards that apply to the bulk power system and nuclear power plants…” the BPC report acknowledged.

“While standards provide a useful baseline level of cybersecurity, they do not create incentives for the continual improvement and adaptation needed to respond effectively to rapidly evolving cyber threats. Distribution facilities generally operate outside of FERC jurisdiction. In some cases attacks at the distribution-system level could have consequences that extend to the broader grid.”

The report’s recommendations would require actions by Congress, federal agencies, state public utilities commissions and industry. It was authored by Hayden, former FERC chairman Curtis Hebert and consultant Susan Tierney.

PJM’s Boston Agrees

PJM CEO Terry Boston, who served an advisory panel consulted by the authors, was among those who attended a briefing today announcing the report. Although he was not involved in drafting the resulting report, Boston said he generally agreed with its recommendations.

Boston said he particularly favored the recommendation for an INPO-like organization. INPO was the model for the North American Transmission Forum, which was created about five years ago to facilitate sharing of information and best practices among grid operators. The new organization would expand such efforts to generation operators and distribution operations.

One key risk to the distribution system, Boston said, is that smart grid devices could be hijacked to turn load on and off, sending system frequency fluctuating wildly. “The smarter we get, the more at risk we are,” he said.

EEI: No Need for New Organization

Scott Aronson, senior director of national security policy for the Edison Electric Institute, also served on the BPC advisory panel and participated in a panel discussion at the BPC event.

Aronson said that EEI agrees that current efforts are not sufficient but doesn’t believe a new organization is necessary. “We do have a lot of organizations,” he said, citing NERC, the Transmission Forum, the Electricity Sector Information Sharing and Analysis Center (ES-ISAC) and the Electricity Sub-sector Coordinating Council, which includes utility CEOs and deputy secretaries from the departments of Energy and Homeland Security.

Aronson also pushed back on suggestions that “there’s a hole in the distribution-level” protections, noting that many states have mandatory reliability rules. “I do think, though, that we need to elevate all of the states” to meet those employing best practices, he said.

Recommendations Detailed

The proposed organization would develop performance criteria, conduct cybersecurity evaluations at individual facilities and analyze systemic risks, particularly on the distribution system.

The report also calls on Congress to adopt legislation providing liability protection to entities that achieve a favorable cybersecurity evaluation by the new institute and backstop cybersecurity insurance “until the private market develops more fully.”

It also said industry and the federal government should establish a certification program that independently tests grid technologies and products and that the National Institute of Standards and Technology (NIST) should develop guidelines for skills training and workforce development.

Asked whether he disagreed with any of the panel’s recommendations, Boston mentioned the call for liability protection. “That’s not where my emphasis is,” he said.