Seeking a ‘Sept. 12’ mindset for the grid

By Peter Behr | 03/22/2017 07:20 AM EDT

The electricity sector is buffeted by accelerating technology changes and indeterminable risks of cyber or physical attacks and natural calamities. The Trump White House is failing to keep up, industry officials say.

The Federal Energy Regulatory Commission building in Washington.

The Federal Energy Regulatory Commission building in Washington. Photo by Ryan McKnight, courtesy of Flickr.

The electric power industry and its new overseers in the Trump administration need "a Sept. 12" mindset, the head of the electric grid’s security monitor said yesterday.

"If something really, really, really, really bad happens, what do you wish you had been doing or not doing before that?" asked Gerry Cauley, CEO of the North American Electric Reliability Corp. (NERC), during a daylong conference in Washington.

Others at the conference said there’s a better analogy: the wrenching reappraisals of intelligence failures that followed the 9/11 terrorist attacks. The challenges facing the electric power sector are buffeted by accelerating technology changes and indeterminable risks of cyber or physical attacks and natural calamities.

Advertisement

Speakers at the session appeared to want several things from the Trump administration: continuity and open minds.

Continuity, in particular, means a commitment from the Energy Department to relaunch the Electricity Subsector Coordinating Council (ESCC), a top-level security threat-sharing partnership between utility chief executives and new administration leaders at or just below Energy Secretary Rick Perry’s level.

"We have to make sure the ESCC partnership continues," said Steven Naumann, vice president for transmission and NERC policy at Exelon Corp. "We may have access at the secretary’s level. That’s good."

Open minds are required to arrive at new approaches to managing change and risks that don’t fit well inside the confines of Washington politics.

Will the Trump administration cut back on DOE research and industry partnerships with DOE laboratories as part of its budget cutting for federal civilian agencies? That collaboration is the source of the Cybersecurity Risks Information Sharing Program, which provides classified analysis of sophisticated break-in attempts on grid locations.

Can new policies emerge to protect the federally regulated high-voltage network from threatening disruptions coming from local distribution utilities under state commission oversight? Where should mandatory, enforced regulations apply or voluntary standards apply?

"There are going to be harder decisions as to what belongs in a [mandatory] standard and what doesn’t," Cauley said.

Cheryl LaFLeur
Cheryl LaFleur. | Photo courtesy of the Federal Energy Regulatory Commission.

Cheryl LaFleur, acting chairwoman of the Federal Energy Regulatory Commission, opened the conference with a plea to President Trump to nominate replacements to fill three vacancies on the commission. The prior chairman, Norman Bay, resigned in January, shortly after Trump announced LaFleur’s elevation to acting chairwoman, and Bay’s departure leaves the commission one member short of a quorum and unable to exercise its normal authority.

"I was very disappointed," LaFleur said of the sudden turnover. "I would have rushed into Trump Tower to try to find someone not to do this."

LaFleur said she was hopeful that Trump’s enthusiasm for infrastructure investment would end up benefiting the grid (although grid investments are paid for by customers, not taxpayers).

She made the same point as NERC’s Cauley, that the grid’s invulnerability cannot be ensured, so more planning has to go into resiliency and recovery. "How do you put the grid back together?" she asked. The Trump administration’s DOE has inherited a mandate from Congress to develop plans to manage the power grid when the president declares a national emergency, which will oblige Perry’s DOE to find the right level of federal oversight and delegation to the industry.

‘It’s classified’

The industry’s need for better access to confidential threat information held by U.S. security agencies was a message people kept repeating yesterday.

Mark Ruelle, president and CEO of Westar Energy in Topeka, Kan., said his utility is fortunate to participate in a threat-sharing arrangement with a federal agency he did not name. "We are in a secure government facility, working with classified cyber intelligence. Who’s mucking around? What are they trying to do?"

Another conference panelist, Duane Highley, president and CEO of the Arkansas Electric Cooperative Corp., said a security auditor told him he had seen equipment in a utility control room that would not be allowed in a federal installation because it is too vulnerable to hackers.

"What is that equipment?" Highley said he asked. "Can’t tell you," was the auditor’s response. "It’s classified."

"What a shame it would be if we had a vulnerability that was known but wasn’t communicated," Highley said.

Exelon’s Naumann said the company’s Chicago-based utility is working on defenses against a ground-based electromagnetic pulse attack and must determine how to shield its facilities. There are classified studies that would help, if the company could see them, he said.

"It is a difficult process issue, but it really needs to be addressed," he said.

Sharla Artz, vice president for policy at the Utilities Telecom Council, said protecting the grid means protecting natural gas and telecommunications networks whose security is interconnected with the power system’s.

"We need to educate the whole of government and policymakers about those interdependencies," she said.

Daniel Brooks, director of grid operations and planning for the Electric Power Research Institute, said the expanding uncertainties about grid operation will push the industry toward more risk-based planning where threats are priorities based on assessments of their likelihood of happening. "It’s becoming more and more difficult to evaluate all the scenarios" that have to be planned for, he said.

But he added, "We don’t have commercially available tools" to do that. The industry isn’t even sure what data it needs to run through the models.

"We should not panic about the threat du jour," Naumann said. But at the same time, the industry now finds itself in the role of a vital national security asset because of the potential for crippling cyberattacks. "That means looking at things a lot of different ways."