This story was updated at 12:20 p.m. EDT.
The nation’s largest regional power grid operator, PJM Interconnection, has called for new federal regulation over natural gas pipelines to counter potential threats to electric power plant operations from disruptions or attacks affecting gas supplies.
The organization, which runs the high-voltage grid in 13 states and the District of Columbia, asserts that some gas pipelines hold back operating information that could be vital to gas-powered power plants in extreme situations.
PJM’s comments respond to an industrywide directive from the Federal Energy Regulatory Commission for assessments of power grid resilience. The agency is still accepting comments, with no indication of its plans on the issue.
The PJM response touches a live wire of energy policy, raising the issue of mandatory federal cyber and security regulation over some operations of the nation’s 300,000-mile interstate pipeline network, which the gas sector adamantly opposes. Thanks to the fracking revolution, natural gas fuels about one-third of the nation’s electricity output, slightly ahead of coal, up from 20 percent in 2008, pushing gas-grid interdependency to the top of policy issues.
FERC in 2013 authorized the interstate pipelines it regulates to share nonpublic operating information with grid companies but did not require it.
While gas-grid collaboration has greatly improved in some cases, PJM said, other pipeline operators have held back. Some provide information only when it is posted publicly on their websites, with no advance private release to grid companies. Other pipelines contend that information about their customers’ gas use can’t be shared even for reliability reasons, causing system operators to go through "circuitous" approval hoops, PJM said.
"In PJM’s view, confidential information sharing should be both uniform and mandatory when the information is identified as needed to enhance the reliability" of grid and gas systems, said the grid operator.
"The time has come to move gas/electric coordination to the next level," for itself and the nine other North American regional transmission operators (RTOs), PJM said. RTOs operate 60 percent of grid electricity supply in the U.S. and Canada.
"PJM urges the commission to drive further coordination through the exercise of its authority over both natural gas pipelines and the electric industry," the organization said.
Officials of the American Gas Association and Interstate Natural Gas Association of America were preparing their comments to FERC yesterday and did not reply to the PJM filing. The industry is likely to argue that FERC lacks authority to do what PJM urges for the gas sector. INGAA’s board last week announced an expanded set of cyberdefense commitments by its member pipelines.
Former Department of Defense Assistant Secretary Paul Stockton said in an interview, "PJM’s response to FERC is enormously valuable and in many ways path-breaking." It is very difficult now for grid operators like PJM to get the information they need to be confident of their systems’ defenses, he added.
The level of information sharing among energy companies, government partners and the general public came under scrutiny earlier this month, after a cyberattack on a utility service provider forced several major gas pipelines to revert to backup billing and scheduling methods (Energywire, April 6).
While the flow of gas and electricity was reportedly unaffected, the episode raised questions about cybersecurity vulnerabilities in the gas sector.
PJM’s comments raise a volatile issue of whether the federal government’s voluntary oversight of pipeline cyberdefenses is adequate (Energywire, May 26, 2017).
"The standards governing cyber and physical security are markedly different between the two industries," PJM noted.
Government direction
Following the 2003 Northeast blackout, Congress authorized FERC to approve and enforce mandatory reliability and cyber regulation of interstate power networks. FERC also regulates permitting and rates for interstate gas pipelines, while safety rules fall to the Department of Transportation.
Pipeline cyber oversight, meanwhile, is managed by an agency better known for its role protecting the nation’s airports: the Transportation Security Administration, which has chosen voluntary standards over mandated rules.
Natural gas industry leaders have repeatedly told Congress that their long-haul pipeline networks have none of the vulnerabilities of interstate electric power transmission systems, making mandatory regulation unnecessary. The Natural Gas Council, representing five leading gas industry trade groups, made that argument in a July 2017 paper titled "Natural Gas Systems: Reliable and Resilient."
While electric power, traveling at nearly light speed, must be kept within tight tolerances at all times, gas moves at 15-20 miles per hour, giving operators much more time to respond to emergencies, the industry says.
Stockton said the difference in how security of the two energy systems is handled isn’t justified in the face of steadily increasing cyberthreats.
"[N]o mandatory standards exist for gas system reliability that are remotely equivalent to those that help strengthen the [bulk power interstate grid system] against attack," Stockton said in comments to FERC on behalf of Exelon Corp. Stockton, managing director of Sonecon LLC, provides strategic advisory service to Exelon and other energy companies.
In its filing, PJM also said the grid and gas regulation should be aligned. "Although legislation would be needed to change this disparate paradigm, there is little reason why the approach by TSA and FERC to these cross-industry topics needs to be so diverse."
"[T]hrough greater inter-agency coordination, a base level of resilience to physical and cyber-attacks can be achieved even while still respecting the different regulatory authorities of each agency," PJM said.
On another issue, PJM questioned whether pipeline companies’ evaluations of their systems’ vulnerabilities were adequate.
It said that assessing the impact on the grid from pipeline incidents "lacks an overall national regulatory framework as well as the regulatory support to ensure that there is cooperation in identification of vulnerabilities and threats on the gas pipelines."
"The commission should direct cooperation on modeling in this area so that each RTO can appropriately carry out its responsibilities," it said.
RTOs need the government’s help in ensuring their cyberdefenses can meet the most advanced threats that may be highly classified, PJM said. "There needs to be a process for vulnerability threat verification, with government officials advising energy companies on security gaps that may exist," PJM said.
PJM’s proposed remedy is on target, Stockton said. FERC could gather classified threat information and then advise power grid companies on whether their resilience strategies were adequate and what to do about defense gaps, he said.
"The commission would verify the reasonableness of [grid companies’] security assessments. That would provide for much stronger support for resilience assessments than exists today," he said.
Going beyond that, he said, FERC and the Energy Department could tap government resources to provide threat assessments to energy companies "at the front end of the process rather than the back," patterned after the "design basis threats" that define potential emergencies at nuclear power plants that operators must be prepared to manage safely.
Threat assessments
In February 2017, the Government Accountability Office told Congress that TSA and other Department of Homeland Security agencies had not created threat assessment benchmarks demanded by Congress in 2014. GAO is revisiting government oversight of pipeline physical protections and cybersecurity readiness, with a report expected this fall, a GAO spokesman said.
In the past year, TSA and the gas industry have taken new steps to strengthen pipeline defenses. TSA recently published new pipeline security guidelines, crafted with input from major gas companies and industry groups.
The agency requests it be notified when pipeline operators spot unusual activity or a "deliberate attempt to disrupt pipeline operations." The guidelines are not binding, meaning TSA authorities count on private-sector cooperation.
TSA Administrator David Pekoske defended his agency’s approach to the issue at a House budget hearing last month.
"I find that voluntary guidelines in this regard actually get us further towards a good security solution than perhaps regulations would," Pekoske told the House Homeland Security Subcommittee on Transportation and Protective Security on Thursday.
Asked by Rep. Clay Higgins (R-La.) about efforts to track security threats and promote better defenses, Pekoske said TSA shares intelligence with the pipeline industry and cited "excellent" updates to 7-year-old security guidance.
"The advancement of security practices to meet the ever changing threat environment in both the physical and cyber security realms required that the guidelines be updated again," TSA noted in a background summary of the changes.
But the agency went on to caution that the guidance document "does not impose requirements on any person or company" and instead amounts to official recommendations.
PJM’s comments to FERC go further than other regional grid organizations in asserting specific weaknesses in information sharing and threat identification.
"PJM was trying to be responsive to the chairman’s public statements that he wanted very specific recommendations from the RTOs," said Craig Glazer, PJM vice president for federal government policy.
"Some RTOs saw it as a message to report on what they were doing. We decided in addition to give specific recommendations for issues that were beyond any one RTO’s ability to solve," Glazer said in an interview.
"It doesn’t mean the other RTOs were wrong or ours was right," he said. "It is a different approach."