New Grid Security Measures for 2016

Transcription

1 New Grid Security Measures for 2016 Two new laws that may have escaped attention by the industry have the potential to dramatically change the grid security landscape By Joel dejesus 40 Public Utilities Fortnightly February 2016

2 Can Stock Photo Inc. / Andreus O n the cybersecurity front, the industry is gearing up for the much anticipated Version 5 of the cybersecurity reliability standards that were first proposed by the North American Electric Reliability Corporation (NERC) and approved by the Federal Energy Regulatory Commission (FERC) in The standards become effective in April The industry is also now writing physical security plans for its most critical transmission substations under a physical security reliability standard that went into effect last October. While the NERC cybersecurity and physical security reliability standards have been in the making for a few years, two new laws enacted at the end of 2015 have the potential to dramatically change the grid security landscape. Since both laws were enacted as part of much broader year-end legislation that was not directly focused on the electric industry or energy, the statutes may have escaped attention by the industry. Nevertheless, they demand more consideration as we head into the new year. Cybersecurity Act of 2015 The more recent of the two laws is the aptly named Cybersecurity Act of It was enacted on December 18 as part of the Consolidated Appropriations Act, This was the nearly 900-page omnibus spending legislation, with the primary purpose to ensure $1.1 trillion in funding for the federal government for the upcoming year. The Cybersecurity Act of 2015 affects the federal government and all industries, not just the electric industry or the energy sector, and it appears to be a collection of various pieces of cybersecurity legislation Congress was working on for a while. Included among its provisions are titles to expand and enhance the National Cybersecurity and Communications Integration Center (NCCIC), which is the Department of Homeland Security s program for sharing and coordinating situational awareness of malicious cyber activities. The Cybersecurity Act of 2015 also includes provisions: n for enhancing the federal government s own cybersecurity, n for having the various federal agencies assess their existing cyber workforce and needs, and n for studies and reports to be conducted on a variety of cybersecurity topics (mobile device security, international cyberspace policy strategy, the cybersecurity of countries not likely to extradite cyber criminals, cybersecurity of emergency response systems, cybersecurity improvements in the healthcare industry, and the security of the federal government s computer systems). The main title of the Cybersecurity Act of 2015 is Title I, the Cybersecurity Information Sharing Act of 2015 (CISA 2015). It is based on legislation passed in the Senate last October. Joel dejesus has been practicing energy law for over 25 years, and was NERC s Director of Compliance Enforcement. He is currently a partner at Dinsmore & Shohl, LLP, where he regularly advises clients on electric reliability matters, particularly in the areas of cyber- and physical security. While CISA 2015 envisions a program of sharing and receiving cyber threat indicators through Homeland Security, it is unclear whether and to what extent it will displace or incorporate existing electric industry programs Although these provisions have been widely criticized as being more focused on surveillance than cybersecurity, CISA 2015 will have a profound impact on how the electric industry, and industry in general, goes about protecting itself from cyber attacks. Its key provisions include: n The development of procedures to share classified and cyber threat indicators and defensive measures across the federal government, and the creation of procedures to be used when the federal government shares this information with private industry; n The development of procedures for the federal government to receive cyber threat indicators and defensive measures; n Clear authorizations to private entities to monitor their information systems for security purposes and, with permission, other federal and private information systems and to operate defensive measures; n Clear authorizations to private entities to share or receive cyber threat indicators and defensive measures with the federal government and with non-federal entities; n Limitations on liability for any private entity that monitors an information system, operates defensive measures, or shares cyber threat information and defensive measures in accordance with this statute; and n Reporting on implementation and compliance with the act and on cybersecurity threats. It is clear the Cybersecurity Act of 2015, and in particular CISA 2015, paves the way for more robust public and private February 2016 Public Utilities Fortnightly 41

3 monitoring and protection of information systems, and the liability limits will ensure industries can take these steps to protect their information systems with limited risk of litigation. For the electric industry, however, a number of questions may need to be addressed in 2016 as the implementation of these statutes commences. For example, while CISA 2015 envisions a program of sharing and receiving cyber threat indicators through the Department of Homeland Security, it is unclear whether and to what extent this program will displace or incorporate existing electric industry programs under NERC s Electricity Information Sharing and Analysis Center (E-ISAC) or FERC s Office of Energy Infrastructure Security (OEIS). As noted on the E-ISAC s website, it has provided security services for electricity services owners and operators in North America since These security services include many of the activities contemplated for the Department of Homeland Security under CISA 2015: n gather[ing] and analyz[ing] security information, n coordinat[ing] incident management, and n communicat[ing] mitigation strategies with stakeholders within the Electricity Subsector, across interdependent sectors, and with government partners. Similarly, FERC created its OEIS in 2012 to provide leadership, expertise and assistance to the Commission to identify, communicate and seek comprehensive solutions to potential risks to FERC-jurisdictional facilities from cyber attacks and such physical threats as electromagnetic pulses. As the rules for information system monitoring and sharing of cyber threat indicators and defensive measures across public and private sectors are being written under CISA 2015, the federal government and the electric industry will need to provide significant consideration to programs for cyber monitoring, sharing, and coordination already in place. In addition, while the liability limitations in CISA 2015 go a long way to eliminate potential concerns by private industry that their cooperation in cyber monitoring and sharing of cyber threat indicators and defensive measures will not be used against them in litigation, the full scope of liability for cybersecurity under CISA 2015 is yet to be identified. For example, CISA 2015 is silent as to whether a cause of action may lie for an entity s failure to monitor its information systems in accordance with the act or the entity s refusal to share cyber threat indicators and defensive measures. Similarly, the act does not provide a clear roadmap for what private entities should do once they have received cyber threat indicators and defensive measures shared with them from other private entities or from the federal government. The extent to which CISA 2015 may create such ancillary liabilities appears to be left for the regulations that still need to be written in the implementation of CISA 2015 or for the courts to decide. Energy Security Amendments to the Federal Power Act If a year-end omnibus spending bill seems an odd place to find new cybersecurity requirements, the most recent amendments to the Federal Power Act have a similarly strange source. On December 4, 2015, the President signed into law the Fixing America s Surface Transportation (FAST) Act, and this seemingly innocuous highway bill was the vehicle (no pun intended) of significant changes to the Federal Power Act. These amendments are included in a section of the FAST Act entitled Energy Security, which is located in Division F toward the end of the Act. The most significant of these changes was the enactment of a new Section 215A of the Federal Power Act, which gives the Secretary of the Department of Energy authority to order emergency measures to protect or restore critical electric infrastructure and electric infrastructure in the 48 contiguous states and the District of Columbia that is critical to the defense of the United States. This authority is effective upon a directive or determination by the President of the United States identifying a grid security emergency. A grid security emergency is defined to include: n disruptions caused by a malicious act using electronic communications or electromagnetic pulse, geomagnetic storms, and n a direct physical attack on critical electrical infrastructure or defense critical electrical infrastructure, and, more generally, n any disruption that has significant adverse effects on the reliability of critical electrical infrastructure or defense critical electrical infrastructure. Unlike NERC s authority to write reliability standards that govern the conduct of owners, operators, and users of the bulk electric system, the Secretary s authority to order emergency measures governs not only owners, users, and operators of critical of critical electric infrastructure and defense critical electrical infrastructure, but also NERC and its regional entities, too. The Secretary s authority to order emergency measures is limited to a 15-day period, unless that period is extended for additional 15-day periods by further directives by the President. Section 215A also provides for handling information both during and beyond such grid security emergencies. In the context of grid security emergencies, the Secretary and other appropriate Federal agencies shall provide temporary access to classified information about the grid security emergency to entities that are subject to an order for emergency measures. Such access is intended to enable optimum communication between the entity and the Secretary and other appropriate Federal agencies regarding the grid security emergency. Beyond such grid security emergencies, Section 215A also creates a specific exemption from the Freedom of Information Act for critical electric infrastructure information. Section 215A requires FERC to issue rules within a year to facilitate the 42 Public Utilities Fortnightly February 2016

4 designation of critical electrical infrastructure information and to prevent its unauthorized disclosure. Those same rules, however, must also facilitate voluntary sharing of critical electrical infrastructure information with, between, and by FERC; other federal and state agencies; NERC and its regional entities; E-ISAC and other industry information sharing and analysis sectors; owners, operators and users of critical electric infrastructure; and other entities determined appropriate by the Commission. FERC and the Secretary of Energy are also directed to establish protocols with Canadian and Mexican authorities for the voluntary sharing of critical electrical information. Finally, Section 215A includes provisions limiting liabilities for entities complying with this provision. Any entity complying with an order for emergency measure, including any act or omission to voluntarily comply with such order, shall not be considered in violation of a reliability standard or other order, rule or provision in Section 215 of the Federal Power Act. Section 215 also provides such compliance with an emergency measure shall not be considered to be a violation of any conflicting Federal, State and local environmental laws and no federal or state causes of action shall lie for the voluntary sharing of critical electric infrastructure information under the rules to be issued by FERC under Section 215A. The one caveat to all of these liability limits, however, is they do not extend to protect entities acting in a grossly negligent manner. Beyond the addition of Section 215A to the Federal Power Act, the FAST Act includes four other provisions related to energy security. First, there is a provision requiring the Secretary of Energy to develop procedures to facilitate better response by federal and state agencies to oil and natural gas supply disruptions and to provide a status report to Congress within 180 days. Second, to address a long standing concern that Department of Energy s authority to issue orders in response to energy supply emergencies often gives rise to obligations that conflict with federal, state and local environmental laws, the FAST Act amends Section 202(c) of the Federal Power Act to ensure that Department of Energy s emergency orders are narrowly tailored to the hours necessary to meet the emergency and serve the public interest and that an entity s compliance with such order shall not be considered a violation of any federal, state or local environmental law. Third, recognizing large power transformers require long manufacturing lead times and cannot be easily replaced in the event of damage or disruption, the FAST Act provides the Secretary of Energy shall establish a plan for establishing and maintaining a Strategic Transformer Reserve for the storage of spare large power transformers and emergency mobile substations. Finally, the Energy Security provisions of the FAST Act concludes with a requirement the Secretary of Energy to develop (after public notice and comment) a report to Congress evaluating energy security in the United States. As with the Cybersecurity Act of 2015 and CISA 2015, the Energy Security provisions of the FAST Act, and in particular the addition of Section 215A to the Federal Power Act, raise both promise and questions for the protection of electric grid reliability and security. For example, while the Secretary of Energy s new authority to order emergency measures should allow for much quicker response to emerging security issues than can currently be accomplished by NERC and FERC under the existing reliability The new Section 215A of the Federal Power Act gives the Secretary of Energy authority to order emergency measures to protect or restore critical electric infrastructure effective upon a determination by the President identifying a grid security emergency standards regime, it is not clear whether the Secretary will have greater technical expertise to exercise such authority than FERC or NERC, both of which have day-to-day authority to address reliability and security issues. Moreover, while Subsection (b)(6) of Section 215A provides FERC shall consistent with the requirements of Section 205 establish a mechanism for recovery of substantial costs to comply with an emergency order of the Secretary of Energy, this provision raises several open issues regarding cost recovery. First, with respect to emergency orders related to defense critical electric infrastructure, the provision explicitly requires the owners and operators of such infrastructure bear the full incremental costs of the measures, but it does not address the possibility such funding may not be available. Second, although FERC may establish mechanisms for recovery of costs for other emergency measures, the statute is notably silent about cost recovery by entities not subject to FERC s rate jurisdiction, such as public power entities or electric cooperatives. Finally, the statute does not define what is meant by substantial costs. To the extent the statute does not clearly provide for full recovery of the costs of complying with emergency orders, it may undermine its own effectiveness. February 2016 Public Utilities Fortnightly 43

5 In the Public Interest FEBRUARY 2016 Rate Structure Philosophy New Technologies Require Community Storage Coming Postcards from Hawaii NARUC December 2015 Winter Meeting PUF s New Expanded Format The Solar Divide The regulatory paradigm is in the fray Solar at High Noon Community Solar Rate Reform in the Solar Era November 2015 Opting in for Time Varying Rates Renewable Odds Death Spiral Defined Rational Rate Design Questioning Market Manipulation Regulators CleartheAir Less carbon and safer pipelines keeping them busy Expert insight and analysis September THE BEST ENERGY COMPANIES Big Transmission? Storage Matures Automation s Forgotten Midwife in every issue January 2016 Tomorrow s Technologies NARUC President Travis Kavulla maps the way forward Grid-Connected Battery Storage: The Good, The Bad, and What Utilities are Doing In the Public Interest Your best source for unbiased and insightful coverage of the critical issues facing the energy industry. Subscribe today: fortnightly.com/subscribe or sign up for a no obligation trial at fortnightly.com/free-trial or call It appears both CISA 2015 and Section 215A of the Federal Power Act provide for similar voluntary programs for public/ private sharing of grid security information. However, since each statute uses different language to define its scope and to establish liability limitations, there will likely be a fair amount of confusion as to which program will govern sharing of information in any specific instance. This confusion may chill the sharing of grid security information both statutes are intended to encourage. Conclusion In the final days of 2015, Congress passed two pieces of legislation that will have a significant impact on the electric industry and grid security/reliability. As the industry heads into 2016, it will need to pay particular attention to the many open questions raised by these statutes and to the various regulatory proceedings that will be established to implement these statutes. PUF 44 Public Utilities Fortnightly February 2016