As he prepares to leave office as head of the nation's electric grid operations monitor, Rick Sergel is warning the power industry that if it doesn't move faster and harder to protect itself against cyber threats, Congress and federal regulators will increasingly impose their own rules.
Sergel, who is retiring as CEO of the North American Electric Reliability Corp. in January, delivered the message in a final speech to NERC trustees and industry representatives earlier this month and expanded on it in an interview last week. Gerry Cauley, CEO of the SERC Reliability Corp. in Charlotte, N.C. -- a regional grid monitor -- will succeed Sergel.
The accelerating deployment of tens of millions of advanced electric meters and other smart grid devices may help fight climate change by increasing energy efficiency. But it is also increasing the targets of attack and could make the nation's power network potentially more vulnerable as the threat of penetration grows, Sergel said.
The danger goes beyond the disabling of transformers and control systems to include the "kidnapping" of key devices by attackers who would try to send spurious signals to shut down customers' smart meters or take power plants offline, says Joseph McClelland, director of the Office of Electric Reliability at the Federal Energy Regulatory Commission.
"The need for vigilance will increase as new technologies are added" to the grid, he told a congressional subcommittee last month.
Industry fails to implement 2006 plan
"There is still a long road ahead" of the industry to achieve grid security goals, Sergel said in his speech to trustees Nov. 5, but the industry may not have much time to respond. "The decision time frame on these issues is measured in weeks, or perhaps months, but not years." If the industry doesn't move, "others will," he added, in a reference to bills in the House and Senate that would beef up federal cyber authority.
NERC, the Princeton, N.J., organization that oversees grid operations, was blasted by members of the House Homeland Security Committee two years ago for misleading the committee about the industry's efforts to guard against cyber attacks, in the members' words. NERC responded with new mandates for the power industry and brought in a new security executive.
But Sergel told NERC trustees that parts of the power industry haven't followed through on a key element of the cyber protection strategy. A "critical infrastructure protection" (CIP) plan first proposed by NERC in 2006 requires generating companies, grid operators and transmission owners to identify vital equipment and systems on the grid that could be vulnerable to cyber attack. The "critical assets" would be subject to mandatory security rules that are to take effect next April 1.
David Cook, NERC's vice president and general counsel, told a House committee last month that power companies had listed just 26 percent of generating plants and facilities as "critical assets" in a December 2008 NERC survey. Cook added, "The specific data is significant cause for concern" in certain cases.
Lacking a standard for 'critical' facilities
"We can tell from the results of how people addressed the assets, region by region, that the standard isn't clear enough to be getting a consistent response," Sergel told NERC trustees.
The industry's response has provoked criticism from FERC, which has designated NERC as the grid's reliability monitor. McClelland said last month that the majority of changes in cyber standards ordered by FERC have not yet been dealt with.
The approach that NERC follows gives power companies significant leeway to determine which of their facilities are "critical" -- an assessment that is the cornerstone of the cyber protection standards, he said.
"At this point, however, it is clear that all critical assets and associated critical cyber assets have not been identified and therefore made subject to the protection requirements of the CIP standards. This represents a significant gap in cyber security protection," McClelland said.
FERC also lacks information on the grid's vulnerability to so-called "high-impact, low-frequency" risks, McClelland added, including the threat that a major solar storm could trigger a devastating electromagnetic pulse (EMP) in the Earth's atmosphere, disabling satellite, radio and telephone communications and causing far-flung power blackouts lasting weeks or longer.
The grid is also vulnerable to an EMP attack by a rogue state or terrorist organization that could detonate a nuclear weapon over the United States, experts warn. Powerful doses of EMP can destroy computer chips, transistors and other elements of new "smart" energy control systems. Shielding transformers, control systems and other vital parts of the grid could cost $100 million to $400 million, according to Peter Pry, a former staff member of a congressional commission that studied the EMP threat.
McClelland's comments about the CIP standards go to the heart of the rule-setting process followed by NERC and its industry-based committees, a process that allows extensive back-and-forth about rule changes in the search for industry consensus. The result is an approach that is "inclusive," he said, but also "relatively slow, open and unpredictable."
Sergel defended the industry in an interview, saying "the industry is not reluctant to do the right thing." He added, "the challenge here is, how do you identify what assets are critical in an industry whose mantra is that no asset is 'critical'?"
If utilities fail to move, Congress might
The industry's long-standing policy is to operate the grid with enough redundancy to withstand the loss at any time of a major power plant or transmission line. The grid credo is that "you must be able to withstand the next event," Sergel said. That principle does not contemplate a cyber attack that uses one part of the grid to attack another, he added.
Three bills are before Congress now to strengthen FERC's ability to impose cyber security rules on the system, and NERC is trying to preserve its traditional consensus-based policy approach in the face of growing congressional concern and impatience. No additional hearings or markups are scheduled for the House bills, but congressional staff said the issues are actively being worked on.
Sergel and other NERC officials agree that FERC's emergency authority must expand to deal with cyber threats. But the new protections, while essential, must not inadvertently cause other reliability problems, Sergel said. The expertise to meet the challenge "can be found within the industry itself," Cook added.
H.R. 2165, proposed by House Energy and Commerce Chairman Henry Waxman (D-Calif.) and Reps. Ed Markey (D-Mass.) and John Barrow (D-Ga.), would give FERC authority to order grid operators to take defensive actions when immediate cyber threats arise. Once an emergency passed, FERC's interim actions would be replaced by consensus standards.
H.R. 2195, sponsored by House Homeland Security Chairman Bennie Thompson (D-Miss.) and Rep. Peter King (R-N.Y.), also gives emergency powers to FERC, and while industry policies could replace such orders, there is no requirement for that to happen, Cook noted.
S. 1462, passed by the Senate Energy and Natural Resources Committee, gives FERC and the Energy Department authority to act in emergencies and to address any cyber vulnerability, supplanting NERC consensus-based rules.
FERC also wants its authority extended from the network of large, high-voltage transmission lines to smaller local utility distribution lines that are not subject to its rules. As matters now stand, FERC cannot intervene to head off cyber attacks on local distribution networks, including nearly all the power line systems in some large cities, starting with New York, McClelland said.
Cook, in his testimony, said Congress should "weigh the benefits and risks" of increasing FERC's jurisdiction in this area, an appeal that resonates with lawmakers worried about the balance of federal and state control over the grid.