The following is an Op-Ed published at The Hill today. It underscores the need for securing our electric grid as a matter of national priority. In an ongoing global economic war, our power grid will be targeted whether by EMP, cyber, or physical attack. It is essential that we shore up this vulnerability as soon as possible.
The following is reprinted in entirety with permission (from the authors as well as The Hill):
July 07, 2014, 04:00 pm
Senate should demand electric grid reliability and security
By Thomas S. Popik and William R. Graham
With a Senate vote on two nominees for commissioners of the Federal Energy Regulatory Commission (FERC) pending, there is unprecedented attention on this obscure regulator of interstate pipelines and electricity transmission. In 2005, Congress granted FERC additional authority to regulate electric grid reliability and security, but too often FERC has accommodated industry rather than enforce strict standards.
Both FERC nominees, Cheryl LaFleur and Norman Bay, have long tenures as commissioner and director of Enforcement, respectively. Before a confirmation vote, Senators should examine FERC's weak regulatory record and determine whether leadership and legislative fixes are necessary.
Prior to the 2003 Northeast Blackout which affected 50 million people, electric grid reliability and security were unregulated. An industry trade association had set voluntary standards but compliance was spotty. After the Northeast Blackout, a special U.S.-Canada task force identified the voluntary standards system as a prime cause. In response, Congress designed a hybrid regulatory system, where a private successor to the trade association, the North American Electric Reliability Corporation (NERC), would set mandatory standards. FERC would have authority to request, review, and approve, but not change, NERC's standards.
Nominee and Acting FERC Chair LaFleur, formerly a senior utility executive, is a supporter of the hybrid FERC-NERC regulatory system. At an April Senate hearing entitled, "Keeping the lights on — Are we doing enough to ensure the reliability and security of the U.S. electric grid?" energy committee Chair Mary Landrieu (D-La.) requested of the witnesses, "Say how this is working."
"I think it's working quite well," responded Chairman LaFleur. NERC CEO Gerry Cauley chimed in, "I think the model is working really well."
But all is not well with security of the U.S. electric grid. In April 2013, a sophisticated attack first cut key communication cables and then shot out 17 transformers at the Metcalf substation in California. A few more well-placed rifle shots would have blacked out Silicon Valley and San Francisco.
In May 2013, three weeks after the Metcalf attack, a key NERC committee voted to cancel an in-process standard for physical security of transformer substations and other critical grid facilities; FERC declined to challenge NERC's action. A FERC report leaked in March 2014 revealed that an attack on nine substations could black out the U.S. for over a year—only then did FERC direct NERC to reinitiate a standard for physical security.
NERC's physical security standard leaves out control centers that manage power for 100 million Americans and all electricity generation plants, including fifty critical plants that provide gigawatts of baseload power. Commissioner LaFleur candidly testified in her confirmation process that an attack on a single critical generation plant could cause cascading outage—and a recent event has highlighted vulnerability of generation plants. In mid-June, a generation plant required for reliable grid operation in southern Arizona was attacked. While actual damage was slight, the intruders were able to successfully penetrate the plant perimeter and escape undetected.
Congress granted FERC authority to direct that NERC set standards by a certain date, but FERC has avoided using this authority. Instead, FERC has allowed NERC to set standards on its own schedule. It took ten years for NERC to set standards to address causes of the 2003 Northeast Blackout.
In November 2013, FERC approved an NERC-drafted cyber security standard. In its ruling, FERC called out deficiencies in the standard—including exemption of communications networks—but nonetheless approved the standard. Consistent with FERC practice, NERC got extra time to fix deficiencies. In June 2014, computer security firm Symantec revealed that a state-sponsored attacker had compromised U.S. electric utilities—using communication networks exempted under the FERC-approved cyber security standard.
NERC is an organization governed by its members' votes and dominated by electric utilities. Seventy percent of NERC voting members work for electric utilities. Predictably, NERC members are reluctant to vote for standards that will impose compliance burdens on their companies. Too often, FERC stands by while delayed and watered-down standards transfer risks of blackouts and their costs from electric utilities onto the nation as a whole.
Before the upcoming FERC confirmation vote, it is vitally important for senators to examine FERC's minimal regulation of electric grid reliability and security. The Senate deserves commitments from prospective Commissioners that FERC's accommodative stance toward the electric utility industry will end. If current legislation gives FERC inadequate authority to regulate, the nominees need to forthrightly admit this. Without intervention by Congress, continued lack of electric grid regulation will risk widespread and long-term blackouts, with catastrophic consequences for the American public.
Popik is chairman of the Foundation for Resilient Societies. Graham was Science Adviser for President Reagan and director of the White House Office of Science and Technology Policy.