Earlier this month, the Federal Energy Regulatory Commission ordered the North American Electric Reliability Corp. to develop a set of standards for the physical security of the most critical facilities on the electric grid. How are utilities responding, and what are their primary concerns as FERC considers this rule-based approach? During today's OnPoint, Sue Kelly, the incoming president and CEO of the American Public Power Association, discusses the NERC process and talks about the potential impact a small-scale attack could have on the grid.
Monica Trauzzi: Hello, and welcome to OnPoint. I'm Monica Trauzzi. With me today is Sue Kelly, incoming president and CEO of the American Public Power Association. Sue, thank you for coming on the show.
Sue Kelly: My pleasure.
Monica Trauzzi: Sue, there's a lot of attention being paid right now in Washington to the issue of physical security of the electric grid. FERC has ordered NERC to come up with a set of standards for the most critical facilities. Why haven't utilities done more up until this point to sort of assess the risks and then act on them?
Sue Kelly: Well, just because a standard hadn't been ordered up until now doesn't mean that we haven't been assessing risks and acting on them. I think since 2001 we have been upping our game in both physical and cybersecurity over time, and I think we've had to become more aware and try to find different ways to protect different types of facilities.
That said, we have 55,000 substations, and we have a great variety of types of utilities. For example, my members are units of state and local government. There's about 2,000 of us. Some of us are very large, like LADWP; some of us have -- you know, our median is 2,000 meters. So it's a very broad and diverse industry, and I think painting us all with the same brush is probably not the best way to proceed to start with.
But what we have been doing is assessing our facilities over time and upping our game as we see risks developing. And of course the Metcalf incident was well-known in our industry before it ever broke into the popular consciousness. We just finished a 10-city tour where DHS and DOE and representatives from PG&E went around to meet with utilities and law enforcement all over the country to talk about this incident, to talk about lessons learned, to talk about how utilities and law enforcement could work together more closely to prevent these incidents. And we've also been working on trying to build more redundancy into the system. For example, if you have more transmission facilities, more ways to route power, then the loss of any one particular substation is less important. And of course we're also assessing the security at those substations.
So there's a lot of different ways to deal with this, and I think we have been doing a lot. Obviously, a standard has now been ordered by FERC under 215, and I'm happy to talk about that process and how it works.
Monica Trauzzi: We will.
Sue Kelly: But you know, it's -- we're gonna undertake that, we're gonna participate in it, and we will produce the standard.
Monica Trauzzi: So then, are you concerned that perhaps there won't be enough flexibility for utilities if there is this rule-based approach?
Sue Kelly: Well, I like to think -- if you read the commission's order instructing us to do this, they seem to understand that flexibility is the order of the day. First of all, they're talking about having you determine which facilities should be subjected to further scrutiny, and the standard that they use for that is right in section 215. They talk about cascading outages, instability. That's not every substation, which an outage there could create that kind of cascading effect. So first of all, it's identifying which facilities, then second you have to assess the threats and vulnerabilities for that, and then you develop a plan. And of course the threats and vulnerabilities could vary depending on whether it's urban, whether it's rural, how it's configured, so there's lots of different ways to proceed. And I think there will be a lot of flexibility in the standard, and I think acting Chairman LaFleur has said she understands the need for that. Commissioner Norris, of course, issued a concurrence to the order in which he also talked about the need for flexibility, so I think -- you know, I'm very hopeful that we're gonna work through this and develop a standard that works.
Monica Trauzzi: So how would you like to see NERC go through the process of creating these standards, and what should that standard look like in the end?
Sue Kelly: Well, I'm not gonna presume to say what the standard should look like in the end. First of all, I'm a lawyer; that would be a big mistake for me to write the standard. And what they've done is they've convened what's known as a standards drafting team, which is a group -- a small group of what we call subject matter experts, or SMEs if you live in the acronym world, with different types of expertise from different types of utilities. And they are already working on a draft standard. There's going to be -- the first big meeting will be April 1 in Atlanta, and it's going to be an open process. There will be two opportunities for what we call ballots. You know, there will be an initial ballot and a final ballot. Different drafts of the standards will go up. They'll be commented on by all different sectors of the industry. And there are a number of FERC employees who have been designated to work with NERC and with the standard drafting team and with the industry during this process.
So it's gonna be a collaborative effort. It's gonna have to be run in an expedited fashion to meet the 90-day deadline. But I think they've already got their plan of action in place to do that.
Monica Trauzzi: Members of Congress are paying close attention. There's legislation in both the House and Senate that would give FERC more flexibility for issuing standards and acting if there were to be some kind of event. Should FERC's authority be broadened on this?
Sue Kelly: Well, it's interesting you mention that, because I have not looked in detail at the most recently introduced legislation, but my understanding is it's based on the GRID Act. That act -- I was actually involved in drafting some of the sections of an industry version of that when we did it a few years ago. But that was really based on the situation on the ground at that time, and so much has changed since then. We now have the Electric Sub-Sector Coordinating Council, which is composed of CEOs from industry and very high-level employees of various government agencies: FBI, DOE, Department of Homeland Security. They're working together in a very collaborative fashion. And since that time, if you look at the presidential policy directive on the whole cybersecurity area, the designated agency for our industry is DOE, and frankly, I think that actually is the entity that we've been working the most with on these issues. So I think that legislation, while I note that it's been introduced, I'm not so sure it's the right legislation for our times, and I think we've really kind of moved past that in terms of industry-government coordination.
Monica Trauzzi: But are there too many sort of voices at the table when it comes to all the different agencies that are involved in this? Sen. McCain, for example, has suggested that that should be reorganized and perhaps streamlined a bit so that there's a little more clarity on who has jurisdiction over what.
Sue Kelly: I think the people that have to be at the table are at the table. When you look at what's going on with the Electric Sub-Sector Coordinating Council, you have DHS there, which of course looks at all the 16 sectors, the critical infrastructure sectors. You have DOE, our sector-specific agency. You have the FBI, which is the law enforcement arm. I think you have the right people at the table.
Monica Trauzzi: Based on your assessments, how much of an impact could even a small-scale attack have on the grid?
Sue Kelly: That is a very idiosyncratic question. It depends where the attack is, what the facility is. I can tell you that people come together to assess and to bring things back up and to ensure that nothing goes down. For example, if you look at Metcalf, one of our members, Silicon Valley Power, is in that direct vicinity. They brought their generation up to assist PG&E to make sure that service was maintained. So I think, you know, one attack on one facility I don't think necessarily would bring down the grid, and I have great confidence in our ability to assess it, to figure out what to do to bring it back up if that does create problems, and to work together to ensure that that doesn't happen again.
Monica Trauzzi: Very interesting. We'll end it there. Thank you for coming on the show.
Sue Kelly: All right, thank you. It was my pleasure.
Monica Trauzzi: And thanks for watching. We'll see you back here tomorrow.
[End of Audio]