Dispute grows wver smart grid cybersecurity jurisdiction

In recent months, increasing public awareness of the security implications of smart grid deployment has been paralleled by escalating political and bureaucratic jurisdictional battles over smart grid cybersecurity.  Federal agencies, Congress, the White House, electric industry groups, and state regulators have all taken positions in this growing debate about who should bear ultimate responsibility for ensuring the security of smart grid network systems.  As stimulus funds begin to support expanded smart grid investments across the country, it is important to understand the intensifying turf war over cybersecurity policy and what it means for the future of smart grid deployment.  

Addressing smart grid cybersecurity  
Experts have long recognized the threats inherent in applying information technology to the electric grid.  While the advanced communications and computing technologies comprising the smart grid promise to enhance system efficiency and reliability, they also create vulnerabilities common to all modern computer networks.  Smart meters and other intelligent devices will facilitate fraud, extortion, increased identity theft, and other cybercrimes.  Smart grid architecture will permit cyber attacks carried out via unauthorized network access, worms, or other means.  Such acts may range from localized denial-of-service attacks to system interruptions and catastrophic power failures.  Worst-case scenarios involve the use of such tactics by hostile countries or terrorist organizations.  

Cybersecurity issues were recognized as a serious problem by the Energy Independence and Security Act of 2007 (EISA), which directed DOE to conduct a comprehensive assessment of smart grid security.  EISA also charged the National Institute of Standards and Technology (NIST) with developing a smart grid interoperability framework, with help from FERC.  Since the passage of EISA, smart grid cybersecurity has been addressed primarily in the context of this work on interoperability standards.  

FERC took the lead in interoperability standards development, and came to view cybersecurity standards as one component of the emerging interoperability framework.  One of the most effective ways to protect smart grid networks and systems, argued FERC, is to require that advanced meters and other intelligent devices meet rigorous security standards and protocols.  The NIST/FERC interoperability initiative was regarded as an ideal vehicle for designing, adopting, and enforcing cybersecurity standards, and FERC moved aggressively to develop a smart grid security framework as part of its interoperability standards project.  

The new Obama Administration sought to accelerate smart grid deployment, and $4.5 billion in smart grid funding was included as part of the stimulus bill.  This policy push reinforced FERC’s central role in smart grid cybersecurity.  In March, FERC released a proposed policy statement and action plan on smart grid interoperability in which the Commission elaborated its views on cybersecurity.  In this draft document, FERC noted the urgency of the problem and underscored the usefulness of technology standards in ensuring network security.  FERC also suggested that compliance with smart grid cybersecurity standards be enforced by designating them Critical Infrastructure Protection (CIP) Reliability Standards.  The penalty for noncompliance with CIP standards is up to $1 million per day per violation.  Furthermore, FERC authority over smart grid cybersecurity is recognized and augmented in a draft cybersecurity bill prepared by Senator Jeff Bingaman (D-NM), chair of the Senate Energy and Natural Resources Committee.  This draft is currently circulating in the committee as it considers major energy legislation.  

Resistance to FERC  
Momentum in favor of FERC jurisdiction over smart grid cybersecurity, however, has recently met with increased resistance on multiple fronts.  The principal opposition to granting FERC authority over smart grid security comes from those who prefer lodging such authority with the Department of Homeland Security (DHS).  This option is supported by DHS itself as well as by influential members of Congress, in particular the House Homeland Security Committee’s emerging threats subcommittee.  Supporters of DHS argue that FERC has no security mandate, and that DHS was created precisely to counter critical threats such as cyber attacks.  DHS has substantial expertise and experience regarding information technology security, and has paid increasing attention to vulnerabilities associated with the smart grid.  The Department has joined forces with the National Science Foundation (NSF) to back a university research consortium known as the Trustworthy Cyber Infrastructure for the Power Grid group.  As Congress has moved to tackle cybersecurity, DHS has been actively reviewing the Bingaman draft and receiving special briefings on cyberthreats to the smart grid.  

FERC and its many electric industry supporters respond that DHS has no substantive knowledge of energy issues, and the Commission is the appropriate agency to oversee all dimensions of the national power system, including smart grid cybersecurity.  Many observers are critical of the cumbersome, unwieldy organizational structure of DHS.  Utilities complain that their interests are underrepresented at DHS, and that the Department has been unresponsive to industry overtures.  By contrast, industry maintains close, longstanding ties with FERC through which its views and opinions on questions of policy are taken into account.  The following table summarizes the debate over FERC versus DHS smart grid cybersecurity jurisdiction:

	Pro	Con
FERC	FERC is lead federal agency on power grids Close relationships with electric industry FERC has assumed smart grid security rold	FERC lacks security expertise FERC restricted to bulk power system
DHS	Security is DHS' primary mission DHS has general cybersecurity expertise DHS is aware of cyberthreats to smart grid	DHS lacks electric industry expertise DHS is cumbersome Lack of industry representation

Resistance to FERC authority over smart grid security has also arisen among state regulators, many of whom view the Commission as engaged in a “power grab.”  Many state officials contend that FERC jurisdiction would necessarily entail oversight over local distribution networks, a traditional state prerogative.  For these regulators, such an extension of FERC authority would overstep the Commission’s statutory confinement to wholesale power markets.  

One proposed compromise to this conflict over states’ right lies in the creation of a federal “cybersecurity czar.”  This White House post, outlined in a bill introduced by Senator Jay Rockefeller (D-WV), would be responsible for all dimensions of cybersecurity, including smart grid security.  The draft legislation is reported to enjoy support from the Obama Administration.  While a cybersecurity czar would still represent an increase in federal power vis-à-vis states, its formation would not upset the political balance between FERC and state energy regulators.  
As opposition to FERC cybersecurity jurisdiction has intensified, support among some of the Commission’s backers has softened.  In particular, some utilities worry about the prospect of FERC enforcing CIP standards on smart grid equipment.  Severe penalties combined with a huge number of devices potentially subject to standards could impose enormous costs on the electric industry.  Eleven utilities have joined with DOE to form the Advanced Metering Infrastructure Security Task Force, which addresses cybersecurity issues without the involvement of FERC.  

FERC moves forward  
Despite resistance, FERC is pushing forward in its effort to claim authority over smart grid cybersecurity.  The Commission’s policy statement is subject to a 45-day comment period, which will conclude in May.  Under EISA, once FERC and NIST have reached “sufficient consensus” on standards, FERC must launch a formal rulemaking to adopt interoperability standards, including cybersecurity standards.  FERC Chairman Jon Wellinghoff believes the entire process will take “a year to eighteen months, and that would be at the outside.”  

Ultimately, it is likely that FERC will enjoy at least some jurisdiction over grid cybersecurity.  FERC is the preeminent federal agency overseeing the current power grid.  Since the smart grid will be built on the foundation of the present power system, FERC will almost certainly maintain jurisdiction over wide swathes of the smart grid.  Cybersecurity is one element of the smart grid that will require monitoring and enforcement, and this in turn will require precisely the sort of energy system expertise and experience possessed by FERC.  

The major proposed alternative to FERC, DHS, is responsible for multiple aspects of national security.  Cybersecurity represents just one dimension of national security, and smart grid security is only one component of cybersecurity.  DHS as a department is still in its formative stages, and its broad policy portfolio and complicated organizational structure are widely regarded as problematic.  The Department also lacks familiarity with the electric system and relationships with key stakeholders.  By contrast, FERC has both a deep reservoir of knowledge concerning power systems and grid management, and close ties with the electric industry, including support from large industry segments.  More importantly, FERC has already assumed the lead role on issues of smart grid cybersecurity, and the overall debate has been framed in terms of FERC as the default authority.  In bureaucratic politics, jurisdictional disputes are often decided in favor of the agency that makes the first move.  

Nevertheless, FERC jurisdiction is not a foregone conclusion.  Much depends on the content of a cybersecurity policy statement the White House is expected to release in upcoming weeks.  This highly anticipated document will present the Administration’s general approach to the issue of cybersecurity, including its role in the smart grid.  This statement is likely to guide nearly all aspects of federal cybersecurity policy, but its substance remains unknown at present. 


About Automation Insight
Automation Insight is a complimentary monthly publication designed specifically for the utility industry and those serving the utility industry. For comments or suggestions on future article topics, please e-mail automation.insight@kema.com.

Subscribe to KEMA's Automation Insight newsletter.

Automation Insight is an opt-in subscription. KEMA does not sell or otherwise make public subscriber information and honors all ‘unsubscribe’ requests. To unsubscribe, please e-mail automation.insight@kema.com with 'unsubscribe' in the subject line.