Editor’s Note: The following article from Congressional Quarterly discusses FERC’s interest in obtaining statutory authority to regulate electrical utilities’ cybersecurity for protection against natural disasters as well as other threats. FERC’s comments reflect part of a growing, broad-based federal interest in regulating private sector computer network defenses.
FERC Looks for New Authority in Cybersecurity Legislation
By CQ Staff
Congressional Quarterly Homeland Security
May 9, 2011
In the debate over cybersecurity legislation, the federal government’s authority to regulate private sector security practices has been a central point of debate. As various Senate panels try to come to agreement over a comprehensive bill, the Federal Energy Regulatory Commission is saying it needs its enhanced ability to protect the networks controlling electrical grids from potential electromagnetic pulses from solar flares and other causes.
“An EMP event could seriously degrade or shut down a large part of the electric power grid,” Joseph McClelland, director of the FERC Office of Energy Projects, told the Senate Energy and Natural Resources Committee last week. “Such events are inevitable, can be powerful, and can also cause significant and prolonged disruptions to the power grid.”
EMPs, or large bursts of electromagnetic radiation that can damage electrical systems, can be caused by solar flares, large storms that disrupt the earth’s magnetic field or high-altitude nuclear detonations.
McClelland said that his agency, and the departments of Homeland Security and Energy recently completed an EMP study through the Oak Ridge National Laboratory, which found that without additional shielding measures, the U.S. electric grid would experience a collapse if hit with a “one-in-100-year event.”
The study’s example of such an event was a massive solar storm in 1921. If that storm were to occur today, McClelland said, it would damage or destroy more than 300 bulk power system transformers, “interrupting power to 130 million people for 10 years.” Despite the threat, he said, there are few protection measures in place for EMPs.
Currently, FERC cannot author or modify cybersecurity standards. Instead, it can only approve those drafted by the North American Electric Reliability Corporation, a collection of grid operators. In 2008, FERC approved eight cybersecurity standards, but also directed the corporation to make significant modifications to them. McClelland said FERC is still waiting on most of those modifications.
He called the current cybersecurity standard approval process too slow to deal with emerging threats, and said new legislation should give his agency the ability to take direct regulatory action in anticipation of national security threats resulting from cyber or physical threants.
“The commission’s legal authority is inadequate for such action,” he said.
William Tedeschi, senior scientist and engineer at Sandia National Laboratories, said the EMP threat to the grid is worth examining, but said the issue needs more study before it is ready for regulatory action.
“We respectfully suggest that further computational and experimental work is required before fully informed decisions can be made about where and to what extent the power grid should be hardened solely against nuclear high-altitude electromagnetic pulse threats,” he said.
The North American Electric Reliability Corporation is looking for cybersecurity legislation that would avoid fundamental changes to the FERC process for setting standards for EMPs and other threats. Gerry Cauley, the corporation’s president, said FERC already has the authority it needs to direct his group to prepare standards for particular threats, including those that involve cybersecurity. He also said that industry is working to stockpile enough spare parts to deal with the occurrence of a large-scale EMP.
“We have a very substantial spare transformer inventory that the industry for several years has been committing resources to because we recognize how critical the transformers are and, if you lose a transformer, it takes a while to restore service,” he said. “So we’re working to make sure we have this redundancy in our transformers.”
The committee convened the hearing to discuss a cybersecurity bill concerning the electric sector that its leaders are drafting, as they did in 2009. However, Chairman Jeff Bingaman, D-N.M., acknowledged that there are other measures in the works, and seven panels with jurisdiction.
“This is not the only committee in the Senate working on cybersecurity issues,” he said. “I welcome the opportunity to work closely with other committees to ensure that the product of this committee’s efforts works seamlessly with the proposals coming out of other committees’ work.”
The Senate Homeland Security and Governmental Affairs and the Commerce, Science and Transportation committees have produced a merged cybersecurity bill (S 413).
Source: CQ Homeland Security ©2011