O&M, Policy & Regulation, Policy & Regulations

Cybersecurity and Regulatory Uncertainty

Issue 1 and Volume 118.

Joel deJesus   By Joel deJesus, Schiff Hardin

With the Obama Administration’s Executive Order 13636 last February and the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC) recently adopting Version 5 of NERC’s Critical Infrastructure Protection (CIP) Reliability Standards, cybersecurity is currently at the forefront of the electric industry’s collective mind. The problem is the rules of the road seem to be changing. Now, as FERC has directed NERC to make additional changes to Version 5 and the National Institute of Standards and Technology (NIST) is contemplating a new cybersecurity framework to govern all critical infrastructure industries, including the electric industry and other key sectors, the question remains for the electric industry: How is this all supposed to work? Investment decisions occur over a long term horizon, but such decisions are difficult to make when the regulations are in a constant state of flux.

Cybersecurity in the electric industry has been regulated under NERC’s CIP Reliability Standards for several years. These CIP standards require the industry to implement specific cybersecurity protections and subject industry to substantial monetary penalties for noncompliance. The first mandatory CIP standards were proposed by NERC in 2006 and approved by FERC in 2008. We are now on Version 5, and FERC just directed NERC to make additional changes to the CIP standards in what will inevitably become Version 6. While one or more individual standards have been through the same number of revisions, no single set of standards has been revised more as a group. Even without the revisions, NERC’s reading and application of the CIP standards has evolved in the past 5 years. Determinations made in audits three years ago are now being revisited in more recent audits. NERC has published guidance documents to help the industry understand how to apply the CIP standards, but even those guidance documents have undergone substantial revision.

Perhaps in reaction to this change or because the change is not coming fast enough, regulators are trying out new ways of protecting cybersecurity. NERC through its Energy Sector Information Sharing and Analysis Center (ES-ISAC), and FERC through its new Office of Energy Infrastructure Security (OEIS) are supplementing their role as enforcement agencies and taking on more voluntary outreach activities. In the past couple of years, NERC has revamped its ES-ISAC to act as a clearinghouse for cybersecurity threat information for the electric industry. FERC OEIS is making a more targeted approach by offering to provide individualized threat assessments to individual entities in the electric industry. It may be hard for both NERC and FERC to marry their roles of enforcer of CIP standards and partner in the sharing of cyber threat information. Earlier this year, NERC had to adopt a formal firewall policy to assure that any voluntary sharing would not be the source of penalties. Moreover, the industry has yet to confront liability issues associated with handling and responding to cyber threat information.

Executive Order 13636 appears to be a blend of the standard setting and information sharing approaches employed by NERC and FERC. As noted earlier, the Executive Order requires NIST is working on a “cybersecurity framework” for all critical infrastructure industries, not just the electric industry. Although framework must be voluntary, the Executive Order calls for the adoption of incentives for the electric industry and other sectors to comply with these standards. The nature of these incentives and how the NIST standards will interact with the existing NERC CIP standards remains to be seen. In fact, the draft NIST cybersecurity framework, which was published in late October for public comment by Dec. 13, 2013, seems to treat the NERC CIP standards as one of many “informative references” that the electric industry must become familiar with and incorporate into their day-to-day cybersecurity programs. The Executive Order also embraces the voluntary information sharing concept by directing the Department of Homeland Security to expand its “Enhanced Cyber Security Service,” by enlisting private sector experts into Federal service to advise on information needed to protect critical cyber assets, and by directing federal agencies to produce unclassified reports in a timelier manner. As with the NERC and FERC efforts at voluntary information sharing, the roles of enforcer and partner will need to be sorted out for all sectors, even those that have not the extent of standards enforcement experienced in the electric industry.

Change may be an inherent part of the cybersecurity landscape, given how quickly new threats can emerge and spread. However, as regulators attempt to impose and improve standards to address cybersecurity and to take new approaches to safeguarding cybersecurity such as facilitating the sharing of cyber threat information, they should consider the pace of such changes and the industry’s need for certainty to make necessary investments in critical infrastructure and critical infrastructure protection.

More Power Engineering Issue Articles
Power Engineerng Issue Archives
View Power Generation Articles on PennEnergy.com