New Grid Security Measures for 2016

Similar documents
History of NERC December 2012

WHAT SECTION 215A OF THE FEDERAL POWER ACT MEANS FOR ELECTRIC UTILITIES. Stephen M. Spina J. Daniel Skees Arjun P. Ramadevanahalli December 17, 2015

History of NERC August 2013

National Policy and Guiding Principles

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

Cybersecurity Information Sharing Legislation

MYTH vs. REALITY The Revised Cybersecurity Act of 2012, S. 3414

Grid Security & NERC

Cybersecurity and Data Privacy

Member of the County or municipal emergency management organization

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

History of NERC January 2018

STRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

Cyber Security Incident Report

Testimony. Christopher Krebs Director Cybersecurity and Infrastructure Security Agency U.S. Department of Homeland Security FOR A HEARING ON

UNITED STATES OF AMERICA BEFORE THE U.S. DEPARTMENT OF COMMERCE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

Electricity Sub-Sector Coordinating Council Charter FINAL DISCUSSION DRAFT 7/9/2013

Security Standards for Electric Market Participants

Standard Development Timeline

FERC's Revised Critical Infrastructure Protection Demands Active Vigilance

DHS Cybersecurity: Services for State and Local Officials. February 2017

Statement for the Record

Smart Grid Update. Christopher J. Eisenbrey. Director, Business Information Edison Electric Institute (EEI)

Executive Order on Coordinating National Resilience to Electromagnetic Pulses

Physical Security Reliability Standard Implementation

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

BEFORE THE U.S. HOUSE OF REPRESENTATIVES COMMITTEE ON ENERGY AND COMMERCE SUBCOMMITTEE ON ENERGY

RELIABILITY COMPLIANCE ENFORCEMENT IN ONTARIO

ISAO SO Product Outline

The National Medical Device Information Sharing & Analysis Organization (MD-ISAO) Initiative Session 2, February 19, 2017 Moderator: Suzanne

Emergency Support Function #12 Energy Annex. ESF Coordinator: Support Agencies:

Grid Security & NERC. Council of State Governments. Janet Sena, Senior Vice President, Policy and External Affairs September 22, 2016

Department of Homeland Security Updates

FERC Reliability Technical Conference -- Panel I State of Reliability and Emerging Issues

Chapter X Security Performance Metrics

2018 Summary Report into the cyber security preparedness of the National and WA Wholesale Electricity Markets. AEMO report to market participants

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

PD 7: Homeland Security Presidential Directive 7: Critical Infrastructure Identification, Prioritization, and Protection

THE WHITE HOUSE. Office of the Press Secretary EXECUTIVE ORDER

Building Privacy into Cyber Threat Information Sharing Cyber Security Symposium Securing the Public Trust

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

STATEMENT OF SCOTT I. AARONSON VICE PRESIDENT, SECURITY AND PREPAREDNESS EDISON ELECTRIC INSTITUTE BEFORE THE U.S. SENATE HOMELAND SECURITY AND

Electric Transmission Reliability

NERC History, Mission and Current Issues Southern States Energy Board. October 16, 2011

Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Scope Cyber Attack Task Force (CATF)

Presidential Documents

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

151 FERC 61,066 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION ORDER DENYING REHEARING. (Issued April 23, 2015)

Bad Idea: Creating a U.S. Department of Cybersecurity

THE WHITE HOUSE Office of the Press Secretary EXECUTIVE ORDER

Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

CRS Report for Congress

79th OREGON LEGISLATIVE ASSEMBLY Regular Session. Senate Bill 90

NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

Critical Cyber Asset Identification Security Management Controls

PIPELINE SECURITY An Overview of TSA Programs

Views on the Framework for Improving Critical Infrastructure Cybersecurity

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

THE WHITE HOUSE. Office of the Press Secretary. EMBARGOED UNTIL DELIVERY OF THE PRESIDENT'S February 12, 2013 STATE OF THE UNION ADDRESS

Mastering Data Privacy, Social Media, & Cyber Law

The NIS Directive and Cybersecurity in

Chapter X Security Performance Metrics

Investigating Insider Threats

Control Systems Cyber Security Awareness

GPS Vulnerability and DHS Mitigation Efforts. David Wulf Acting Deputy Assistant Secretary Infrastructure Protection Department of Homeland Security

U.S. Department of Homeland Security Office of Cybersecurity & Communications

Mapping to the National Broadband Plan

EEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1,

300 Riverview Plaza Odysseus Marcopolus, Chief Operating Officer Trenton, NJ POLICY NO: SUPERSEDES: N/A VERSION: 1.0

THE WHITE HOUSE. Office of the Press Secretary. For Immediate Release September 23, 2014 EXECUTIVE ORDER

OPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith

Electric Power Industry s Approach to Grid Security

ASSEMBLY, No STATE OF NEW JERSEY. 217th LEGISLATURE INTRODUCED FEBRUARY 4, 2016

Cybersecurity and Data Protection Developments

Project Physical Security Directives Mapping Document

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

Contributed by Djingov, Gouginski, Kyutchukov & Velichkov

Section One of the Order: The Cybersecurity of Federal Networks.

HPH SCC CYBERSECURITY WORKING GROUP

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION ) )

Directive on Security of Network and Information Systems

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION ) ) ) COMMENTS OF THE LARGE PUBLIC POWER COUNCIL

Cybersecurity for the Electric Grid

Cybersecurity: Legislation, Hearings, and Executive Branch Documents

Reliability Standards Development Plan

CYBERSECURITY LEGISLATION IT OUT!

THE CAN-SPAM ACT OF 2003: FREQUENTLY ASKED QUESTIONS EFFECTIVE JANUARY 1, December 29, 2003

DOE s Roles and Responsibilities for Energy Sector Cybersecurity

MAINE STATE LEGISLATURE

Cybersecurity and Hospitals: A Board Perspective

The Office of Infrastructure Protection

Office of Infrastructure Protection Overview

Standard CIP Cyber Security Critical Cyber Asset Identification

Cyber Security Over Time

Transcription:

New Grid Security Measures for 2016 Two new laws that may have escaped attention by the industry have the potential to dramatically change the grid security landscape By Joel dejesus 40 Public Utilities Fortnightly February 2016

Can Stock Photo Inc. / Andreus O n the cybersecurity front, the industry is gearing up for the much anticipated Version 5 of the cybersecurity reliability standards that were first proposed by the North American Electric Reliability Corporation (NERC) and approved by the Federal Energy Regulatory Commission (FERC) in 2013. The standards become effective in April 2016. The industry is also now writing physical security plans for its most critical transmission substations under a physical security reliability standard that went into effect last October. While the NERC cybersecurity and physical security reliability standards have been in the making for a few years, two new laws enacted at the end of 2015 have the potential to dramatically change the grid security landscape. Since both laws were enacted as part of much broader year-end legislation that was not directly focused on the electric industry or energy, the statutes may have escaped attention by the industry. Nevertheless, they demand more consideration as we head into the new year. Cybersecurity Act of 2015 The more recent of the two laws is the aptly named Cybersecurity Act of 2015. It was enacted on December 18 as part of the Consolidated Appropriations Act, 2016. This was the nearly 900-page omnibus spending legislation, with the primary purpose to ensure $1.1 trillion in funding for the federal government for the upcoming year. The Cybersecurity Act of 2015 affects the federal government and all industries, not just the electric industry or the energy sector, and it appears to be a collection of various pieces of cybersecurity legislation Congress was working on for a while. Included among its provisions are titles to expand and enhance the National Cybersecurity and Communications Integration Center (NCCIC), which is the Department of Homeland Security s program for sharing and coordinating situational awareness of malicious cyber activities. The Cybersecurity Act of 2015 also includes provisions: n for enhancing the federal government s own cybersecurity, n for having the various federal agencies assess their existing cyber workforce and needs, and n for studies and reports to be conducted on a variety of cybersecurity topics (mobile device security, international cyberspace policy strategy, the cybersecurity of countries not likely to extradite cyber criminals, cybersecurity of emergency response systems, cybersecurity improvements in the healthcare industry, and the security of the federal government s computer systems). The main title of the Cybersecurity Act of 2015 is Title I, the Cybersecurity Information Sharing Act of 2015 (CISA 2015). It is based on legislation passed in the Senate last October. Joel dejesus has been practicing energy law for over 25 years, and was NERC s Director of Compliance Enforcement. He is currently a partner at Dinsmore & Shohl, LLP, where he regularly advises clients on electric reliability matters, particularly in the areas of cyber- and physical security. While CISA 2015 envisions a program of sharing and receiving cyber threat indicators through Homeland Security, it is unclear whether and to what extent it will displace or incorporate existing electric industry programs Although these provisions have been widely criticized as being more focused on surveillance than cybersecurity, CISA 2015 will have a profound impact on how the electric industry, and industry in general, goes about protecting itself from cyber attacks. Its key provisions include: n The development of procedures to share classified and cyber threat indicators and defensive measures across the federal government, and the creation of procedures to be used when the federal government shares this information with private industry; n The development of procedures for the federal government to receive cyber threat indicators and defensive measures; n Clear authorizations to private entities to monitor their information systems for security purposes and, with permission, other federal and private information systems and to operate defensive measures; n Clear authorizations to private entities to share or receive cyber threat indicators and defensive measures with the federal government and with non-federal entities; n Limitations on liability for any private entity that monitors an information system, operates defensive measures, or shares cyber threat information and defensive measures in accordance with this statute; and n Reporting on implementation and compliance with the act and on cybersecurity threats. It is clear the Cybersecurity Act of 2015, and in particular CISA 2015, paves the way for more robust public and private February 2016 Public Utilities Fortnightly 41

monitoring and protection of information systems, and the liability limits will ensure industries can take these steps to protect their information systems with limited risk of litigation. For the electric industry, however, a number of questions may need to be addressed in 2016 as the implementation of these statutes commences. For example, while CISA 2015 envisions a program of sharing and receiving cyber threat indicators through the Department of Homeland Security, it is unclear whether and to what extent this program will displace or incorporate existing electric industry programs under NERC s Electricity Information Sharing and Analysis Center (E-ISAC) or FERC s Office of Energy Infrastructure Security (OEIS). As noted on the E-ISAC s website, it has provided security services for electricity services owners and operators in North America since 1998. These security services include many of the activities contemplated for the Department of Homeland Security under CISA 2015: n gather[ing] and analyz[ing] security information, n coordinat[ing] incident management, and n communicat[ing] mitigation strategies with stakeholders within the Electricity Subsector, across interdependent sectors, and with government partners. Similarly, FERC created its OEIS in 2012 to provide leadership, expertise and assistance to the Commission to identify, communicate and seek comprehensive solutions to potential risks to FERC-jurisdictional facilities from cyber attacks and such physical threats as electromagnetic pulses. As the rules for information system monitoring and sharing of cyber threat indicators and defensive measures across public and private sectors are being written under CISA 2015, the federal government and the electric industry will need to provide significant consideration to programs for cyber monitoring, sharing, and coordination already in place. In addition, while the liability limitations in CISA 2015 go a long way to eliminate potential concerns by private industry that their cooperation in cyber monitoring and sharing of cyber threat indicators and defensive measures will not be used against them in litigation, the full scope of liability for cybersecurity under CISA 2015 is yet to be identified. For example, CISA 2015 is silent as to whether a cause of action may lie for an entity s failure to monitor its information systems in accordance with the act or the entity s refusal to share cyber threat indicators and defensive measures. Similarly, the act does not provide a clear roadmap for what private entities should do once they have received cyber threat indicators and defensive measures shared with them from other private entities or from the federal government. The extent to which CISA 2015 may create such ancillary liabilities appears to be left for the regulations that still need to be written in the implementation of CISA 2015 or for the courts to decide. Energy Security Amendments to the Federal Power Act If a year-end omnibus spending bill seems an odd place to find new cybersecurity requirements, the most recent amendments to the Federal Power Act have a similarly strange source. On December 4, 2015, the President signed into law the Fixing America s Surface Transportation (FAST) Act, and this seemingly innocuous highway bill was the vehicle (no pun intended) of significant changes to the Federal Power Act. These amendments are included in a section of the FAST Act entitled Energy Security, which is located in Division F toward the end of the Act. The most significant of these changes was the enactment of a new Section 215A of the Federal Power Act, which gives the Secretary of the Department of Energy authority to order emergency measures to protect or restore critical electric infrastructure and electric infrastructure in the 48 contiguous states and the District of Columbia that is critical to the defense of the United States. This authority is effective upon a directive or determination by the President of the United States identifying a grid security emergency. A grid security emergency is defined to include: n disruptions caused by a malicious act using electronic communications or electromagnetic pulse, geomagnetic storms, and n a direct physical attack on critical electrical infrastructure or defense critical electrical infrastructure, and, more generally, n any disruption that has significant adverse effects on the reliability of critical electrical infrastructure or defense critical electrical infrastructure. Unlike NERC s authority to write reliability standards that govern the conduct of owners, operators, and users of the bulk electric system, the Secretary s authority to order emergency measures governs not only owners, users, and operators of critical of critical electric infrastructure and defense critical electrical infrastructure, but also NERC and its regional entities, too. The Secretary s authority to order emergency measures is limited to a 15-day period, unless that period is extended for additional 15-day periods by further directives by the President. Section 215A also provides for handling information both during and beyond such grid security emergencies. In the context of grid security emergencies, the Secretary and other appropriate Federal agencies shall provide temporary access to classified information about the grid security emergency to entities that are subject to an order for emergency measures. Such access is intended to enable optimum communication between the entity and the Secretary and other appropriate Federal agencies regarding the grid security emergency. Beyond such grid security emergencies, Section 215A also creates a specific exemption from the Freedom of Information Act for critical electric infrastructure information. Section 215A requires FERC to issue rules within a year to facilitate the 42 Public Utilities Fortnightly February 2016

designation of critical electrical infrastructure information and to prevent its unauthorized disclosure. Those same rules, however, must also facilitate voluntary sharing of critical electrical infrastructure information with, between, and by FERC; other federal and state agencies; NERC and its regional entities; E-ISAC and other industry information sharing and analysis sectors; owners, operators and users of critical electric infrastructure; and other entities determined appropriate by the Commission. FERC and the Secretary of Energy are also directed to establish protocols with Canadian and Mexican authorities for the voluntary sharing of critical electrical information. Finally, Section 215A includes provisions limiting liabilities for entities complying with this provision. Any entity complying with an order for emergency measure, including any act or omission to voluntarily comply with such order, shall not be considered in violation of a reliability standard or other order, rule or provision in Section 215 of the Federal Power Act. Section 215 also provides such compliance with an emergency measure shall not be considered to be a violation of any conflicting Federal, State and local environmental laws and no federal or state causes of action shall lie for the voluntary sharing of critical electric infrastructure information under the rules to be issued by FERC under Section 215A. The one caveat to all of these liability limits, however, is they do not extend to protect entities acting in a grossly negligent manner. Beyond the addition of Section 215A to the Federal Power Act, the FAST Act includes four other provisions related to energy security. First, there is a provision requiring the Secretary of Energy to develop procedures to facilitate better response by federal and state agencies to oil and natural gas supply disruptions and to provide a status report to Congress within 180 days. Second, to address a long standing concern that Department of Energy s authority to issue orders in response to energy supply emergencies often gives rise to obligations that conflict with federal, state and local environmental laws, the FAST Act amends Section 202(c) of the Federal Power Act to ensure that Department of Energy s emergency orders are narrowly tailored to the hours necessary to meet the emergency and serve the public interest and that an entity s compliance with such order shall not be considered a violation of any federal, state or local environmental law. Third, recognizing large power transformers require long manufacturing lead times and cannot be easily replaced in the event of damage or disruption, the FAST Act provides the Secretary of Energy shall establish a plan for establishing and maintaining a Strategic Transformer Reserve for the storage of spare large power transformers and emergency mobile substations. Finally, the Energy Security provisions of the FAST Act concludes with a requirement the Secretary of Energy to develop (after public notice and comment) a report to Congress evaluating energy security in the United States. As with the Cybersecurity Act of 2015 and CISA 2015, the Energy Security provisions of the FAST Act, and in particular the addition of Section 215A to the Federal Power Act, raise both promise and questions for the protection of electric grid reliability and security. For example, while the Secretary of Energy s new authority to order emergency measures should allow for much quicker response to emerging security issues than can currently be accomplished by NERC and FERC under the existing reliability The new Section 215A of the Federal Power Act gives the Secretary of Energy authority to order emergency measures to protect or restore critical electric infrastructure effective upon a determination by the President identifying a grid security emergency standards regime, it is not clear whether the Secretary will have greater technical expertise to exercise such authority than FERC or NERC, both of which have day-to-day authority to address reliability and security issues. Moreover, while Subsection (b)(6) of Section 215A provides FERC shall consistent with the requirements of Section 205 establish a mechanism for recovery of substantial costs to comply with an emergency order of the Secretary of Energy, this provision raises several open issues regarding cost recovery. First, with respect to emergency orders related to defense critical electric infrastructure, the provision explicitly requires the owners and operators of such infrastructure bear the full incremental costs of the measures, but it does not address the possibility such funding may not be available. Second, although FERC may establish mechanisms for recovery of costs for other emergency measures, the statute is notably silent about cost recovery by entities not subject to FERC s rate jurisdiction, such as public power entities or electric cooperatives. Finally, the statute does not define what is meant by substantial costs. To the extent the statute does not clearly provide for full recovery of the costs of complying with emergency orders, it may undermine its own effectiveness. February 2016 Public Utilities Fortnightly 43

In the Public Interest FEBRUARY 2016 Rate Structure Philosophy New Technologies Require Community Storage Coming Postcards from Hawaii NARUC December 2015 Winter Meeting PUF s New Expanded Format The Solar Divide The regulatory paradigm is in the fray Solar at High Noon Community Solar Rate Reform in the Solar Era November 2015 Opting in for Time Varying Rates Renewable Odds Death Spiral Defined Rational Rate Design Questioning Market Manipulation Regulators CleartheAir Less carbon and safer pipelines keeping them busy Expert insight and analysis September 2015 40 THE BEST ENERGY COMPANIES Big Transmission? Storage Matures Automation s Forgotten Midwife in every issue January 2016 Tomorrow s Technologies NARUC President Travis Kavulla maps the way forward Grid-Connected Battery Storage: The Good, The Bad, and What Utilities are Doing In the Public Interest Your best source for unbiased and insightful coverage of the critical issues facing the energy industry. Subscribe today: fortnightly.com/subscribe or sign up for a no obligation trial at fortnightly.com/free-trial or call 1-800-368-5001. It appears both CISA 2015 and Section 215A of the Federal Power Act provide for similar voluntary programs for public/ private sharing of grid security information. However, since each statute uses different language to define its scope and to establish liability limitations, there will likely be a fair amount of confusion as to which program will govern sharing of information in any specific instance. This confusion may chill the sharing of grid security information both statutes are intended to encourage. Conclusion In the final days of 2015, Congress passed two pieces of legislation that will have a significant impact on the electric industry and grid security/reliability. As the industry heads into 2016, it will need to pay particular attention to the many open questions raised by these statutes and to the various regulatory proceedings that will be established to implement these statutes. PUF 44 Public Utilities Fortnightly February 2016

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback