Public Power's Position
Grid security is and should be much more than a compliance exercise. The goal of every utility and the entire industry is to manage risk prudently, knowing that facilities cannot be protected 100% of the time from all threats.
- The electric sector has mandatory and enforceable federal regulatory standards in place for cyber and physical security (collectively known as grid security).
- Close coordination among industry and government partners at all levels is imperative to deterring attacks and preparing for emergency situations.
- Congress should postpone consideration of legislation to create additional cyber incident reporting mandates for the energy sector until the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) is fully implemented.
About the Issue
Cyber and physical security related to electric system infrastructure - collectively known as grid security - comprises four key pillars:
- Mandatory and enforceable standards
- Information sharing
- Public-private partnerships
- Preparedness exercises
Standards
The North American Electric Reliability Corporation (NERC), working with electric industry experts, regional entities, and government representatives, regularly drafts standards that apply to the North American grid. Participation by industry experts and compliance personnel in the NERC critical infrastructure protection (CIP) standards development process ensures that the standards are technically sound, fair, and balanced. The Federal Energy Regulatory Commission (FERC) has the power to then approve or remand those standards as they apply in the United States. To ensure compliance, under FERC’s oversight, NERC and its regional entities conduct rigorous audits and can levy substantial fines for non-compliance. Additionally, FERC can instruct NERC to develop new or revised reliability standards with a very short turn-around time. CIP standards establish an important baseline of security — but they are a floor, not a ceiling — and grid security is and should be much more than a compliance exercise.
Information Sharing
The ability to protect sensitive electric information from public disclosure is critical to grid security. The electric sector has long been subject to cyber incident reporting mandates to the Department of Energy (DOE) via an Electricity Emergency Incident and Disturbance Report (OE-417) and NERC/FERC. Moreover, there is robust industry participation in information sharing organizations, including the Electricity Information Sharing and Analysis Center (E-ISAC) and the Multi-State Information Sharing and Analysis Center.
Another layer of mandatory cyber incident sharing requirements will be added through the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). Signed into law in March 2022, CIRCIA will require covered critical infrastructure entities to report cyber incidents within 72 hours and ransomware payments within 24 hours to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). The law gives CISA significant discretion in implementation, including defining what constitutes a covered entity. APPA filed comments in response to a request for information kicking off the CIRCIA rulemaking asking CISA to take a careful and deliberative approach to implementation, taking into account existing reporting mandates and organizations, and to appropriately tailor reporting mandates commensurate with risk to national security.
Public-Private Partnerships
The electric power industry works closely with the federal government on matters of critical infrastructure protection. One important venue for this collaboration is the Electric Subsector Coordinating Council (ESCC). The ESCC serves as the principal liaison between the federal government and the electric power sector, with the mission of coordinating efforts to prepare for, and respond to, national-level disasters or threats to critical infrastructure. APPA and public power utilities play a leadership role on the ESCC, which includes utility CEOs and trade association leaders representing all segments of the industry. Their counterparts include senior administration officials from the White House, relevant Cabinet agencies, federal law enforcement, and national security organizations.
APPA works closely with DOE on a number of fronts. Notably, APPA has been awarded three grants since 2016 to help strengthen the cybersecurity posture of public power utilities. A new program at DOE, the Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance program, which passed as part of the Infrastructure Investment and Jobs Act, is based off the successes of these grant programs. The RMUC is authorized to appropriate a total of $250 million in grants and technical assistance over five years to rural, municipal, and small investor-owned electric utilities to enhance their security posture. APPA and many public power utilities are expected to benefit from this program.
Preparedness and Risk Management
The goal of every utility and the entire industry is to manage risk prudently. The electric power industry employs threat mitigation known as “defense-in-depth” that focuses on preparation, prevention, response, and recovery to “all hazard” threats to electric grid operations. Some related activities include:
- Exercises. Electric utilities plan and regularly exercise for a variety of emergency situations that could impact their ability to provide electricity. One of the biggest exercises, GridEx, is managed by NERC and the E-ISAC and takes place every two years.
- Mutual aid. The electric utility industry has long had mutual aid networks in place to share employees and resources to restore power after natural disasters and other emergencies. The ESCC used the concept of traditional mutual assistance networks to develop the Cyber Mutual Assistance program that can help electric and natural gas companies, public power utilities, and/or rural electric cooperatives restore critical computer systems following significant cyber incidents.
- Equipment sharing. Electric utilities regularly share transformers and other equipment through sharing arrangements and agreements. The industry is expanding equipment sharing programs — like the Spare Transformer Equipment Program, SpareConnect, and Grid Assurance — to improve grid resiliency.