By Rich Heidorn Jr.
WASHINGTON — The National Association of Regulatory Utility Commissioners ended its winter meetings Wednesday with NARUC President Travis Kavulla’s interview of broadcaster Ted Koppel, whose 2015 book “Lights Out” alleges the U.S. is unprepared for the threat of cyberattacks on the nation’s grid.
Critics have accused Koppel of sensationalizing the threat and omitting key facts. But one might not have known that from the gentle probing Koppel received from Kavulla.
The Montana regulator pressed Koppel on his contention that investor-owned utilities lack sufficient incentives to aggressively pursue cybersecurity. But he left unchallenged the author’s claim that the electric industry can block FERC from imposing reliability standards that receive less than a two-thirds NERC membership vote.
“It’s a unique situation where an industry, in effect, is granted the right to draw a line under any restrictive legislation that the federal government might want to impose upon it and say ‘Sorry, we don’t accept it,’” Koppel said. “You’re all aware of the fact that … if FERC proposes something to NERC, NERC takes a vote on it and unless there is a two-thirds majority of NERC members — of the 3,200 or so U.S. power companies — unless they have two-thirds majority vote in favor, it is not accepted. The federal government has no unilateral power to impose legislation on the power industry.”
NERC Responds
NERC CEO Gerry Cauley, who was in the audience, disputed Koppel’s statements in an interview afterward.
“He’s missing the part where FERC can direct us to do a standard,” Cauley said. “We have the physical security, upgrading the cybersecurity standard, the GMD standard [that were ordered by FERC]. So when they tell us to do a standard, it’s not optional. And we actually have a backstop in our procedures … which says if the industry fails to approve a standard by the majority vote that we’ve been directed to do, our board takes over and approves that standard.
“We would never let that fail. And it’s never failed at this point. … Our continued existence as the [Electric Reliability Organization] is dependent on being responsive.”
Cauley said allowing NERC members to vote on standards is “valuable because it shows their support, that it’s a practical standard, the costs being passed to the customer are reasonable and there’s not going to be any litigation around it once it’s done. … There’s a value-add for having a vote, but it’s not the end. There’s no veto power by industry.”
Koppel’s publisher, Crown, did not respond to requests for comment on the criticism. FERC declined to comment.
Kavulla: Precise Language Needed
In an interview Friday, Kavulla defended his questioning of Koppel and said he was aware of controversy over the book.
He said both Koppel and Cauley — who complained to the NARUC president after the session — need to be more precise in their language.
“I’m not defending Ted Koppel. It seems to me clear that when he said the federal government had no unilateral authority, I think technically that’s untrue,” Kavulla said. “But what Gerry Cauley has told you is inaccurate or at least slightly misleading. Mr. Cauley is defending an approach where industry works to write regulations that regulate itself under generic direction by FERC … and then you seem to have Ted Koppel arguing the opposite position: that this industry is too sensitive to leave it up to regulations written by industry and that the federal government should take a more proactive role. I don’t know which is right.”
Although FERC can order standards, “it doesn’t proscribe what the standard should include,” Kavulla continued.
“There is a so-called backstop in theory, but to be clear that has never actually happened. Gerry Cauley uses the present tense voice in saying ‘Our board takes over.’ The one thing Gerry Cauley isn’t telling you is that has never occurred.”
EEI Weighs In
One industry expert who was interviewed by Koppel for the book said the author seemed uninterested in any information that didn’t support his thesis.
“We’ve heard this trope before: It’s the fox guarding the henhouse,” Scott Aaronson, the Edison Electric Institute’s managing director for national security issues, said in an interview. “Every other piece of fact proves that’s not the case.”
Aaronson said the NERC standards drafting process follows American National Standards Institute rules. “It is an open process. Anyone can participate,” he said. “We think that the process works very, very well despite Mr. Koppel’s protestations.”
Aaronson said Koppel also ignores “the important partnership that has developed between the government and owners and operators of critical infrastructure,” including the Electricity Subsector Coordinating Council, which includes 30 CEOs of operating companies and trade groups that meet three times a year with senior federal government security officials.
“He came to this with a thesis,” said Aaronson, who acknowledged he had not read the entire book. “It was effectively that the government is inept, the industry is profit motivated and our only option is to buy canned goods.”
Cauley agreed that Koppel appeared to dismiss the industry’s preparations, particularly its plans for the grid’s recovery after an attack.
“It’s a very serious area of concern — cyberattacks can happen. Our systems are particularly well guarded, but you can never say it won’t happen,” Cauley said. “I think he’s just not as aware of the things that have been done in preparation. … There are playbooks that exist that talk about roles and responsibilities. We exercise them thoroughly. The Grid Ex III, the exercise we went through for two days [in November], was actually more severe than his scenarios and we learned a lot. We found out what we had, what we didn’t have. We iterate on that every two years to keep getting better.” (See Two-Day GridEx III Tests Vulnerability to Terrorist Attacks.)
“Whoever [Koppel] got to talk to, he needs to talk to some more people to get the whole story.”
Bigger Question?
In an earlier session, retired Gen. Keith Alexander, former director of the National Security Agency, said the federal government needs to increase its information sharing, and the speed at which it does so, to address cybersecurity threats. “The government [has to] share what it knows about these threats. My experience in dealing with industry is they knew about 25% of what the government did. That’s insufficient. We’ve got to address that.”
Marcus Sachs, NERC’s chief security officer and the head of the Electricity Information Sharing and Analysis Center, agreed. “The offense needs to inform the defense. There’s a lot of really good national capabilities that are locked up [inside the] classified world. But those techniques need to be known to the defenders.”
Kavulla said the issue of NERC’s voting rules shouldn’t distract from the broader policy debate: Is it better to have stakeholders write standards subject to federal oversight, or should regulators write the rules subject to stakeholder feedback?
“How different would the standards look,” he asked, “if they were not subject to a two-thirds vote?”