In March 2018, the FBI and Department of Homeland Security released a joint report describing a Russian government cyber activity targeting America’s critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and manufacturing sectors. Most media reports ignored the threats to other critical infrastructure industries and focused exclusively on the threat to our electric system, with sensational headlines like “Russia Hacked U.S. Power Grid” and “Russian Hackers Are Attacking U.S. Power Plants.” The Department of Homeland Security has identified sixteen critical infrastructure sectors whose assets are considered vital to national security, the economy, or public health and safety; the electricity industry is only a subsector within the energy sector. Yet cyber threats to the power grid garner the lion’s share of attention from the media, lawmakers, and the public. And the implication is always clear: we need to do more to protect the grid from hackers.
Cyber threats are real and serious. We must protect the power grid from those who would do us harm. But what is all too often missing from the public conversation is what we are already doing to defend the grid against cyber attacks. Unless we have a thorough understanding of the laws and regulations that already exist, we cannot have a productive public discourse about how much more we should be doing.
If you don’t work with electric utilities, you may be surprised to hear that over a decade ago the federal government approved the first set of mandatory standards requiring many users, owners, and operators of the interstate power system to comply with specific requirements to safeguard critical cyber assets. Since then, the federal cybersecurity standards for electricity have expanded in scope and sophistication. Electric utilities devote significant resources to compliance with those evolving cybersecurity standards. A robust system of enforcement—including audits, spot checks, and self-reporting—helps ensure compliance, and utilities that fail to comply with any of the cybersecurity standards are subject to penalties up to $1 million per day for each violation. These cybersecurity standards do not eliminate all risk of a cyber attack having an adverse impact on grid reliability, but they are an important regulatory tool to reduce that risk.
This article provides a brief overview of these electric cybersecurity standards, including their overall regulatory structure, scope, and substance.
The Regulatory Framework for Electric Reliability and Cybersecurity
In 2005, Congress enacted a unique regulatory framework for improving the reliability of the electric grid. Congress did not—as one might have expected—authorize the Federal Energy Regulatory Commission (FERC) to directly regulate what actions electric utilities must take to maintain reliable operations. Instead, because of the international nature of the North American grid, the Energy Policy Act of 2005 amended the Federal Power Act to direct FERC to select and certify an independent Electric Reliability Organization that would develop and enforce reliability standards to provide for reliable operation of the “bulk-power system” (a term we will return to shortly). The statute explicitly included cybersecurity protection in the definition of reliability standards.
In April 2006, the North American Electric Reliability Corporation (NERC), which had previously been an organization of utilities that maintained and practiced voluntary operating criteria and guides, applied to FERC for certification as the Electric Reliability Organization. NERC also made filings seeking comparable recognition from government authorities in Canada. Today, NERC is recognized as the primary electric reliability standards-setting organization in North America, including parts of Mexico.
Within the United States, NERC develops reliability standards, including cybersecurity standards, subject to oversight from FERC. NERC must obtain FERC approval for any reliability standard before it can become enforceable, and FERC has the authority to send standards back to NERC for further consideration. FERC also has the ability to order NERC to submit a new reliability standard or to modify a reliability standard to address a specific reliability concern.
NERC develops reliability standards through a transparent stakeholder process that has been certified by the American National Standards Institute (ANSI). This means that the electricity industry plays a significant role in drafting the standards. Some have criticized this process, suggesting that the standards can’t be trusted to adequately protect reliability because NERC allows the industry to write their own regulations. Such criticisms fail to recognize the role of the industry participants and the role of FERC oversight.
Regulating electric reliability is a highly technical endeavor that requires deep knowledge of how the grid works. The content of NERC’s reliability standards is not being driven by industry lawyers and lobbyists who make backroom deals with the regulators, but instead is being transparently drafted by technical experts who have first-hand knowledge of how to protect their assets. Moreover, FERC does not rubber stamp the standards that NERC drafts. Particularly for cybersecurity standards, FERC regularly exercises its authority to direct further changes to the standards.
Within the United States, NERC is also responsible for enforcing the reliability standards. The Federal Power Act authorizes NERC to impose penalties of up to $1 million per day if, after notice and opportunity for hearing, NERC finds that a utility has violated a reliability standard. Any such penalties must be filed with FERC, along with a record of the proceeding, and FERC has 30 days to review the penalty. FERC can affirm, set aside, or modify a penalty, or remand the issue back to NERC for further proceedings. Additionally, FERC has independent authority to investigate potential violations of reliability standards and impose penalties on utilities.
NERC uses a variety of tools to ensure utilities are complying with the reliability standards. Utilities are expected to self-report violations to NERC, and self-reporting is an important mitigating factor in penalty determinations; approximately 80 percent of violations are self-reported. NERC also engages in regular audits and occasional spot checks to verify utilities’ compliance.
Protecting Systems That Impact Reliable Operation of the Grid
Within that overall regulatory framework, NERC proposed in August 2006 the first set of Critical Infrastructure Protection (CIP) standards to protect the grid from cyber and physical attacks. FERC approved those “Version 1” cybersecurity standards, but directed NERC to make several changes. NERC subsequently filed its Version 2 cybersecurity standards, then Version 3, Version 4, Version 5, and beyond. Over the years, NERC has continued to revise and improve the cybersecurity standards to address FERC’s directives, and the scope of the standards has grown.
Understanding the scope of those standards is important because NERC’s cybersecurity standards do not require every utility in North America to protect every single computer it owns. Computer systems for local distribution networks are not subject to federal regulation. And the computer systems that do not impact grid operations—your utility’s email servers or the laptops used by a utility’s customer service department—are not covered by NERC’s cybersecurity standards. Instead, the standards apply to computer systems that can impact the reliable operation of the interstate transmission system.
The scope of the cybersecurity standards begins with the statute, which (as noted above) gives FERC and NERC authority to develop reliability standards applicable to owners, operators, and users of the “bulk power system.” The bulk power system includes facilities and control systems necessary for operating the interconnected transmission network and electric energy from generation facilities needed to maintain transmission system reliability, but does not include local distribution facilities. NERC’s cybersecurity standards do not refer to the bulk power system, but instead use the largely synonymous term, “Bulk Electric System” or “BES.” NERC—with FERC’s approval—has developed a detailed definition of what facilities are included in Bulk Electric System, which generally includes electric transmission facilities operating above 100 kilovolts and electric generators directly connected to those transmission facilities that can produce more than 20 MW of power. The statutory “bulk power system” is arguably more expansive than NERC’s Bulk Electric System, but as a practical matter, all of NERC’s reliability standards are limited to the Bulk Electric System.
The Federal Power Act’s definition of the bulk power system and NERC’s definition of the Bulk Electric System leave out local distribution facilities. As a result, the computer systems that control the electric facilities that deliver power to your neighborhood’s homes and businesses are generally not subject to NERC’s cybersecurity standards. Responsibility for regulating the cybersecurity of those facilities falls to state and municipal regulators. The Federal Power Act does authorize FERC and NERC to develop standards for users of the bulk power system in addition to its owners and operators, but the limits of that authority have not been tested. FERC and NERC have (with some exceptions) generally limited the scope of the cybersecurity standards to owners and operators of the Bulk Electric System.
So NERC’s cybersecurity standards apply to hundreds of utilities around the country that own or operate the Bulk Electric System. But the standards do not apply to all of those utilities’ computer systems. NERC’s current cybersecurity standards apply only to “BES Cyber Systems” and associated cyber assets. BES Cyber Systems are any programmable devices that, if rendered unavailable, degraded, or misused, would adversely impact the reliable operation of the Bulk Electric System within 15 minutes of such a compromise. Picture a control room with giant video displays that allow system operators to monitor the power flowing over the grid, or the computer system connected to a natural gas generator that tells the generator when to turn on or off. Such computer systems are critical to keeping the lights on, so we need to ensure those systems are safe from hackers. But other utility computer systems—like the email and web servers on a utility’s corporate network—cannot immediately impact grid reliability, so those systems are not subject to NERC’s cybersecurity standards.
In addition to BES Cyber Systems, NERC’s cybersecurity standards apply to physical access control systems (e.g., keycard systems) that allow only authorized personnel to gain physical access to the Bulk Electric System or the BES Cyber Systems that control it. And the standards apply to the electronic access control and monitoring systems (e.g., the firewalls) that electronically protect BES Cyber Systems. While those physical and electronic access systems do not directly impact grid reliability, they are important systems for protecting the assets that do impact reliability.
Recently, in response to a directive from FERC, NERC proposed to further expand the scope of its cybersecurity standards to include requirements for mitigating cybersecurity risks associated with the supply chain for BES Cyber Systems. The global supply chain for industrial control systems that operate the grid provides significant benefits, including lower cost and better operation, but it also provides additional opportunities for adversaries to attack those systems. FERC and NERC lack the authority to directly regulate the manufacturers and vendors of those systems, but they nevertheless decided to take action to mitigate the risks associated with the global supply chain. NERC’s new supply chain management standards require utilities to take actions that will reduce the likelihood of (1) a utility entering into contracts with vendors that pose significant risks to the grid; (2) an attacker exploiting a vendor’s system to deliver compromised software to a utility; and (3) an attacker stealing a vendor’s security credentials to access a BES Cyber Systems. In January 2018, FERC proposed to approve NERC’s supply chain standards and proposed to direct further changes to those standards.
In sum, NERC’s mandatory cybersecurity standards do not apply to every utility computer system, but they do cover the assets that are most important to ensuring reliable grid operations. It is, of course, serious and troublesome when hackers (Russian or otherwise) gain access to a utility’s corporate networks. Such attacks could be the first step toward gaining access to (or at least gaining information about) the BES Cyber Systems that can impact grid reliability. But it is not accurate to characterize such attacks as “hacking the power grid.” NERC’s cybersecurity standards require utilities to protect the systems that control power grid, and federal law gives FERC and NERC the authority to ensure that utilities are complying with those standards.
A Risk-Based Approach to Protecting the Grid from Cyber Attacks
NERC’s cybersecurity standards require utilities to take multiple actions to protect BES Cyber Systems and associated cyber assets from hackers. But no set of requirements can guarantee that the grid will be perfectly immune to cyber attacks, and every requirement imposes some cost that is ultimately borne by consumers. In the extreme, we could eliminate cyber threats by forgoing the use of computers to control the Bulk Electric System, but the harm to consumers of turning back decades of technological progress would far outweigh the benefits. So, instead, we accept that there will always be some cyber risk, and we require utilities to take appropriate measures to reduce and mitigate that risk.
NERC’s current cybersecurity standards have adopted a risk-based approach to protecting BES Cyber Systems. The first requirement is that utilities identify their BES Cyber Systems and categorize those systems—based on specified bright-line criteria—as having high, medium, or low impact on grid reliability. For example, NERC defines the BES Cyber Systems at a control center for a regional grid operator that sends dispatch instructions to hundreds of generators across the region as having high impact. NERC defines the BES Cyber Systems associated with a generating facility that can produce more than 1500 MW of power as having medium impact. Any BES Cyber System that is not categorized as medium- or high-impact is automatically deemed to have low impact.
For medium- and high-impact BES Cyber Systems (and their associated physical and electronic access systems), NERC’s cybersecurity requirements are divided into eight groups: (1) Personnel and Training requirements that include cyber security training, personnel risk assessment (e.g., background checks), and access management; (2) Electronic Security Perimeter requirements for managing electronic access to BES Cyber Systems; (3) Physical Security requirements to control physical access to BES Cyber systems; (4) Systems Security Management requirements that include processes for ensuring systems have the latest security updates and systems to detect and prevent malicious code; (5) Incident Reporting requirements; (6) Recovery Plan requirements that support the continued stability, operability, and reliability of the bulk electric system after a cyber attack; (7) Configuration Change Management and Vulnerability Assessments requirements that include processes intended to detect unauthorized modifications to BES Cyber Systems; and (8) Information Protection requirements that unauthorized access to sensitive information about the Bulk Electric System.
Collectively, those cybersecurity requirements are rigorous. Owners and operators of medium- and high-impact BES Cyber Systems dedicate very significant resources to complying with those requirements and protecting their assets from cyber threats. And NERC actively audits utilities’ compliance with the standards.
For low-impact BES Cyber Systems, FERC and NERC have—consistent with their risk-based approach to cybersecurity—determined that a lesser degree of rigor is appropriate. Low-impact BES Cyber Systems comprise a much more diverse set of assets than medium- and high-impact BES Cyber Systems, so being overly prescriptive about how to protect low-impact systems could be counterproductive. Thus, under the current cybersecurity standards, applicable utilities must implement cybersecurity policies that collectively address cybersecurity awareness, physical security controls, electronic access controls, and incident response for low-impact BES Cyber Systems. FERC recently approved enhancements to the cybersecurity standards for low-impact BES Cyber Systems; those enhancements, which will be enforceable beginning in 2020, include requirements for transient electronic devices (e.g., laptops that are temporarily connected to a BES Cyber System) and more specific requirements for electronic access controls.
In short, NERC’s cybersecurity standards are designed to protect all of the computer systems that, if compromised, would adversely impact reliable operation of the Bulk Electric System. The standards set forth the minimum level of protection that utilities must implement for each of their BES Cyber Systems, based on the risk associated with each system. Utilities can go above and beyond NERC’s requirements, but the NERC cybersecurity standards ensure that there is a common baseline that utilities must comply with.
More than a decade ago, Congress created a regulatory framework to ensure that owners, operators, and users of the nation’s bulk power system take appropriate measures to protect the grid from cyber threats. Today, hundreds of electric utilities around the country are complying with NERC’s cybersecurity standards, which take a risk-based approach to protecting the computer systems that can adversely impact grid reliability. FERC and NERC have a robust system in place to verify compliance with the standards, and utilities are subject to significant financial penalties for failure to comply.
Especially given the dynamic nature of the threats, NERC’s cybersecurity standards do not—and could not—eliminate all risk of a cyber attack having an adverse impact on grid reliability. There can be legitimate public debate about whether the federal government should do more to protect the grid from adversaries who are targeting our power system. But for that debate to productive, it must be informed by the risk-based actions that FERC, NERC, and the nation’s utilities are already taking to protect the bulk power system.