View recent news coverage highlighting interviews and quotes from LPPC.
July 15, 2017
By John Di Stasio, President, Large Public Power Council
Public utilities provide power to millions of Americans.
What sets public power, like the locally owned Imperial Irrigation District (IID), apart from others is that these utilities do not have private investors or shareholders. This allows them to focus directly on serving the interests and needs of customers. As a not-for-profit, all financial returns are reinvested into the grid instead of paying for things like share buybacks or dividends. As a result, customers benefit from lower than average rates and a more stable infrastructure, which translates to energy that is both affordable and reliable.
As solar power continues to grow in California and across the nation, investing in and embracing cleaner energy is an important component of delivering these widespread benefits to customers. But to do so effectively, it is important to ensure the right programs and resources are in place. Public utilities like IID are investing in technologies and resources to tap into this energy source to meet increased consumer demand. In fact, at the Large Public Power Council (LPPC), our members (which include IID) are constantly looking to optimize all available resources to provide customers with clean energy at a low cost.
Access to diverse fuel sources like solar energy is essential to balancing overall costs and demand. And in most cases, solar makes up a sizable piece of a diverse energy mix. As the former CEO of Sacramento Municipal Utility District (SMUD), I know firsthand how important solar has been in growing clean energy here in California and helping the state meet its renewable energy goals. In fact, back in 2010, SMUD became California’s first large utility to meet the state’s goal of having more than 20 percent of renewables in its energy mix. SMUD currently generates half of its energy from non-carbon sources.
Taking into account the changing energy landscape and new demands, utilities often reevaluate their pricing structures and programs to make sure the needs of all customers are being fairly met. IID did this recently when it implemented its new Net Billing program last year. This was an important change made to help sustain solar for customers in the region over the long term.
IID’s Net Billing program was created to help strike a fairer balance between the rates both solar customers and non-solar customers are paying, which still preserve the viability of this energy source. The goal is to make sure there is not undue financial burden placed on customers who don’t have rooftop solar panels.
This is not only a matter of creating fairer pricing around energy usage, but also extends to costs associated with maintaining and modernizing the grid. Utilities need to invest regularly in upgrading infrastructure so it is always ready to meet the energy demands of all customers within a given service territory.
If rate policies are not structured properly, these grid costs are disproportionately passed along to non-solar customers. While solar customers sometimes use less energy overall from the grid, they still rely on the existing infrastructure to access energy during peak energy times like evenings when demand increases, but the sun begins to wane. In turn, utilities must have the proper resources in place that can ramp up to meet peak demand. To maintain affordability, it’s necessary to have these costs spread evenly between all customers.
# # #
RTO Insider: Steven Wright, GM of Chelan County PUD, Speaks On Behalf Of LPPC At FERC Tech Conference On Reliability Standards
June 26, 2017
By Michael Brooks
WASHINGTON — A decade of mandatory standards has improved the grid’s reliability, but it’s time for regulators to prune unnecessary rules, speakers told FERC on Thursday.
At its annual technical conference on reliability, the commission delved into the weeds on compliance enforcement, gas-electric coordination and cybersecurity (AD17-8).
NERC received accolades from many who spoke at the conference for its continual improvement of the grid’s reliability; its transparency and coordination with other stakeholders; and its Reliability Assurance Initiative, a risk-based approach to compliance enforcement approved in 2015 that allows facilities to self-log minor violations — and NERC to focus on the most serious issues. The initiative also included the creation of Inherent Risk Assessment (IRA) profiles for facilities, which help NERC decide what standards to focus on.
FERC’s conference came days after the 10th anniversary of the first mandatory reliability standards under FERC Order 693 and a week after NERC released its State of Reliability report, from which CEO Gerry Cauley recounted some key statistics in his opening remarks. (See NERC: Despite Solid 2016, Grid Threats Remain.)
“Bulk Power System reliability remains very high and continues to show year-over-year improvement,” Cauley said. “Industry has been very responsive to our risk-based approach and has been shifting resources to fix the most critical challenges to reliability. … These standards have had a major impact on reducing risk. Over time, we’ve seen a dramatic decline in the number and severity of compliance violations.”
But Cauley and many other panelists said it was time for another “Paragraph 81” process, referring to a provision in the commission’s March 2012 approval of NERC’s Find, Fix, Track and Report process that directed the organization to identify requirements that do little to protect reliability and could be removed. FERC ended up approving the retirement of 34 such requirements (RC11-6, et al.).
“It may be time to focus again on streamlining the requirements to ensure the investment in compliance is commensurate with the reliability gains,” Cauley said.
Speaking on behalf of the Large Public Power Council, Steven Wright, general manager of the Chelan Public Utility District in Washington state, wanted to go a step further. The risk-based approach hasn’t reduced Chelan’s documentation requirements: Of the 1,236 requirements and sub-requirements applicable to the utility, only four qualify for self-logging, Wright said.
He suggested that entities be granted waivers from certain standards if the IRA indicates their implementation of them doesn’t affect the grid.
Cauley disagreed with that idea, calling it an “optional menu.” NERC’s Regional Entities “legally have the discretion today to monitor and enforce whichever standards we feel suit an individual entity. And that’s really the purpose of the Inherent Risk Assessment. … I think the regions could do a better job of explaining that and explaining what could be looked at.
“But I don’t think it makes sense to take a North American set of standards and create sort of a little checklist matrix for each entity. The standards are the standards.”
Wright also suggested that there be more incentives for entities’ standard compliance, which Commissioner Colette Honorable pushed back on.
“I have a 16-year-old daughter, and she gets good grades. But I think she could get better grades,” she said. “So do I reward her for … getting the grades she should be getting anyway?”
Wright did not directly respond to the question of carrot vs. stick, but he made clear he felt LPPC’s members haven’t gotten enough “bang for our buck.”
“We are spending a lot of money” on IRAs and Internal Controls Evaluation, another RAI component, he said. “And I think it’s a good thing because we’re improving reliability, but if we can find efficiencies we should get them.”
‘Special Assessment’ on Gas Dependence
Acting FERC Chair Cheryl LaFleur asked what the commission or NERC should be doing to account for the increasing reliance on natural gas pipelines for baseload power. She pointed out that FERC has no jurisdiction over the reliability of natural gas pipelines (which belongs to the Transportation Department’s Pipeline and Hazardous Materials Safety Administration), but it does have jurisdiction over those who burn the gas.
“Should we be changing our planning standards in some way to take that potential loss of the pipeline into account or the gas storage” site? she asked. “Aliso Canyon brings that into the front of the discussion.”
Cauley responded that NERC is working on a special assessment report on the issue. The organization has been analyzing key pipelines and storage facilities and the potential impact of losing them on the grid.
“It will be clear from this report, I believe, that you should be planning for the loss of a most critical, most impactful facility, including if it’s on a gas system,” he said. “I am concerned that you have certain reliability standards and expectations on an electric system and what I consider a foundational piece — the fuel deliverability piece — doesn’t have an equivalent.”
Patricia Hoffman, acting assistant secretary of the Energy Department’s Office of Electric Delivery and Energy Reliability, suggested that grid operators do assessments to determine how dependent regions are on one fuel source.
The threat of cyberattacks took up a sizeable portion of the daylong conference.
NERC Chief Security Officer Marcus Sachs revealed that the organization had only learned about the most serious threat to date — malware known as CrashOverride — days before it was made public by two cybersecurity firms earlier this month. The program, which can control circuit breakers via supervisory control and data acquisition (SCADA) systems, was used last December to briefly cut power to about one-fifth of Kiev, Ukraine. (See Experts ID New Cyber Threat to SCADA Systems.)
Sachs recounted that NERC learned of CrashOverride on the afternoon of Friday, June 9. ESET, a Slovakian antivirus software provider, had contacted Maryland-based Dragos, asking it to review its findings before it publicized them on Monday. Dragos then contacted NERC, which worked over the weekend reviewing ESET’s work and producing a report. Dragos also produced its own report over the weekend.
“If we didn’t have those public-private partnerships already existing, we would have failed that weekend, and you would have had a huge media splash on Monday morning that none of us would have been ready for,” Sachs said.
Many experts believe hackers based in Russia are behind the attacks on Ukraine, which Sachs said has been under “relentless assault” for the past couple years: Banking, railroads and Internet service providers have all experienced disruptions.
But while everything points to Russia, it is also possible individuals posing as Russians are behind the attacks, Sachs said.
Speaking to RTO Insider, Sachs pointed to the Solar Sunrise incident in 1998, in which two teenagers from California attacked Defense Department systems and led the military to believe they were from Iraq. “Just because it looks like a duck, smells like a duck, quacks like a duck — it may be a moose,” he said.
There was considerable discussion about understaffing at the entities responsible for protecting against cyber threats. Many agreed that the supply of qualified cybersecurity workers is too small to meet the very high demand.
“At the state level, we’re generally not staffed for this type of thing,” New Hampshire Public Utilities Commissioner Robert Scott said. “We don’t have the expertise.”
“The electric utility, 30 years ago, was the place to go to out of college,” said Greg Ford, CEO of Georgia System Operations, a cooperative that provides power to half the households in the state. “Today it’s harder and harder to lure those college students.”
“It’s easier to find individuals who are familiar with cybersecurity when it comes to traditional [information technology] and Windows-based infrastructure,” said David Ball, director of AEP Transmission Dispatching. “The more difficult skill set to find today is … a power-based background” and familiarity with SCADA.
“People with these type of skills are very marketable and they’re very mobile,” Scott agreed. “At the state level, we can’t hope to attract those type of people.”
Sachs pointed out, however, that middle and high schools are increasingly sponsoring competitive cybersecurity exercises and students are competing in “hack-a-thons.”
“This is good news,” he said. “And it’s something we need to leverage. … Getting into cybersecurity is absolutely what we want these young kids to do.”
“All I can say to that is ‘Amen,’” Honorable replied.
May 24, 2017
SEEN AROUND TOWN: At the Hall of States for the Large Public Power Council's 30th Anniversary reception Monday: Sen. Cory Gardner (R-Colo.); acting FERC Chairman Cheryl LaFleur; former Sen. Mary Landrieu (D-La.); former Rep. Norm Dicks (D-Wash.); Tom Kuhn, president of Edison Electric Institute; Sue Kelly; president and CEO of the American Public Power Association; and John Di Stasio, president of the LPPC (h/t POLITICO Influence).
# # #
May 23, 2017
Pointing this out: Pruitt tweeted that he addressed the Large Public Power Council about his plan to bring "energy independence" to the country. It's a frequent talking point for Pruitt, but not one that's part of the agency's historical mission. According to its own website, EPA's purpose is to protect human health and the environment. Pruitt also dropped by the Congressional Coal Caucus meeting Monday where he again talked about energy independence. Another pic.
# # #
May 22, 2017
HITTING THE TOWN: Twenty CEOs from the Large Public Power Council, which represents the 26 largest consumer-owned utilities in the U.S. are in town today and tomorrow for meetings with administration officials and lawmakers on tax reform, infrastructure and cybersecurity. The group also celebrates its 30th anniversary with a reception tonight.
# # #
April 6, 2017
By John Di Stasio
For more than a decade, electric utilities, the U.S. government and other organizations have been building a robust and multi-faceted defense against cyberattacks that would disrupt the operations of the U.S. electric grid. At the same time, the cyber threat has evolved, the number of attacks has increased and the nature of attacks has advanced. The security that we’ve gained isn’t fail-safe against new and emerging threats. The risks and challenges posed by this type of dynamic risk require a defense in depth that includes a focus on prevention, resiliency and recovery.
The capabilities of the electric utility industry in each of these areas have grown significantly over the past decade, increasing our knowledge of the threat environment, known threat vectors, and best practices aimed at building a mature and flexible security posture. As Congress and the Trump administration explore technology advancements to minimize cybersecurity threats, it’s important to consider how we got here.
As far back as 1999, the realities of an increasingly digital world, and the related risks, became a national focus. There was a comprehensive national effort to prepare for “Y2K” and potential disruptions to digital systems as we entered a new millennium. In 2005, through the Energy Policy Act, Congress approved the process for mandatory, enforceable reliability standards for the bulk power system. In 2007, Idaho National Laboratory’s “Aurora” experiment suggested that control systems for generating stations might be hacked and manipulated. In December 2015, a cyber attack on the Ukrainian grid underscored concerns over the grid’s vulnerability.
Fortunately, in each case, we increased our knowledge and evolved our defenses through collaboration, standards, exercises, information sharing and best practices designed to harden the defenses of the electric grid. We had the benefit of developing these capabilities without the consequences of an actual event disrupting our national grid.
The electric industry has always held reliability of service as its highest priority, and we are approaching the deterrence of the threats of tomorrow with the same focus and rigor as we have in defending against past and current threats.
We have implemented the nation’s only mandatory suite of cyber security standards, the Critical Infrastructure Protection standards, promulgated by the Federal Energy Regulatory Commission, and the North American Electric Reliability Corporation (NERC). We have increased our situational awareness through expanded coordination with the Electricity Information and Analysis Center and the Industrial Control Systems Cyber Emergency Response Team. We have also expanded our partnership with government through participation in the Electric Sub-Sector Coordinating Council and the Department of Energy’s Office of Energy Delivery and Reliability.
The ESCC has recently established a Cyber Mutual Assistance program to allow for timely support in the face of a cyber attack to any member utility or group of utilities. This model has long been in place to address extreme weather outages so we have a long history of practicing mutual aid. We also share best practices through our national associations to raise the individual and collective cyber-readiness of the industry.
After more than a decade of public and private sector collaboration and engagement, the foundation and framework is in place for a multi-faceted defense in depth. But we know we cannot stand still.
There is much yet to be done to anticipate new cyber threats and to continue to build our security capacity and capability. We welcome the opportunity to work with policymakers and regulators as they grapple with this national security risk, but we continue to believe that the flexible, risk-based framework we’ve built together gives us the chance to evolve our mitigation as the risks evolve.
An earlier version of this op-ed incorrectly stated NERC’s full name.
John Di Stasio is president of the of the Large Public Power Council and formerly served as the CEO of the Sacramento Municipal Utility District.
# # #
March 29, 2017
By Blake Sobczak
Senators of all political stripes voiced support yesterday for exploring new strategies to thwart cyberattacks on the U.S. power grid, including a plan for keeping the lights on without relying on the internet.
Sen. Angus King (I-Maine) urged electricity sector experts to consider whether "back-to-the-future answers" — such as manual backup operations at critical points in the power grid — "might protect us from the kind of attack that we know is coming.
"This qualifies as an emergency, and I hope we can act promptly," King said at a Senate Energy and Natural Resources Subcommittee on Energy hearing yesterday, as he called for a $10 million, two-year grid cybersecurity study (E&E Daily, March 27).
King's bill, S. 79, the "Securing Energy Infrastructure Act," was largely welcomed by witnesses at the hearing. But experts warned against letting strong cyberdefenses come at the expense of other hard-won innovations.
"A broad-scale reversion to pre-digital technology is uneconomic, unjustified and perhaps even impossible," said Michael Bardee, director of the Office of Electric Reliability at the Federal Energy Regulatory Commission, in prepared testimony.
"But I do not see S. 79 as proposing such action," he added, noting that the legislation "could potentially aid the utility industry, FERC and others to maintain a secure electric grid" by setting up an interagency working group to examine the problem.
Bardee suggested King add FERC to the proposed list of members on the working group, which now includes the departments of Defense, Energy and Homeland Security; intelligence community; and the North American Electric Reliability Corp., the nonprofit grid overseer.
The bill was first introduced last summer in response to a series of eye-opening cyberattacks on Ukraine's power grid. In December 2015, hackers used stolen usernames and passwords to break into three Ukrainian utilities' operating networks and cut off power to about a quarter of a million people. The victim companies were able to restore electricity only after reverting to "manual mode" — dispatching employees to flip switches at remote facilities.
A year later, hackers struck again at another Ukrainian power company, temporarily severing electricity at a transmission-level substation (Energywire, Jan. 11).
"If we aren't prepared for cyberattacks, a Ukraine-like situation could take place in the U.S.," said Energy Subcommittee Chairman Cory Gardner (R-Colo.) at the outset of yesterday's hearing. He added that "hackers are certainly trying to create that kind of havoc in the U.S."
Thomas Zacharia, deputy director for science and technology at Oak Ridge National Laboratory, noted that his agency would be called on to support the working group if King's "retro" security bill is enacted.
He told senators that a "two-year pilot to really explore what is possible, to get out in front of this evolving challenge, is probably the best thing we can do."
Industry speakers at the hearing pointed to existing efforts to lock down the power grid from hackers.
John Di Stasio, president of the Large Public Power Council, which represents some of the biggest locally owned utilities in the country, said his group supports the "Securing Energy Infrastructure Act" on the condition that it doesn't get ahead of any existing cybersecurity requirements set by NERC.
"We've got a very robust cyber compliance and enforcement program," he said, noting that the industry has come "a long way" in improving cyberdefenses over the last 10 years. "I feel like we've got some of the essential building blocks in place."
Ben Fowke, CEO of Minneapolis-based utility Xcel Energy Inc., offered a tepid endorsement of King's bill, noting that Xcel "does not object" to the legislation based on its voluntary nature and liability protections for companies that contribute to the working group.
Fowke was more supportive of broader efforts to streamline the government's handling of cybersecurity, such as an effort by Gardner and Sen. Chris Coons (D-Del.) to create a Select Committee on Cybersecurity to cut down on some of the overlap in Congress.
"We just need to coordinate better," said Fowke. "There's a lot of work being done, but it's being done by a lot of agencies, it's being done by a lot of congressional committees. ... I think we're getting better at coordinating, but the bad actors are getting better at attacking us at the same time."
# # #
POLITICO's Morning Cybersecurity: John Di Stasio Quote at Senate Cyber Security Hearing
POLITICO's Morning Cybersecurity
March 29, 2017
By Tim Starks
STANDALONE CYBER? - Sen. Cory Gardner on Tuesday stumped for his bill that would place cybersecurity under one Senate committee. At a hearing of the Senate Subcommittee on Energy, which Gardner chairs, the Colorado Republican asked an energy executive whether such consolidated congressional oversight would benefit the nation's power grid. "Yes, senator, I think that would," said Benjamin Fowke, head of the major utility firm Xcel Energy. "We just need to coordinate better."
Later in the hearing, Sen. Angus King broke from his line of questioning to praise Gardner's effort. "By the way, Mr. Chair, I like the idea of the select committee," he said, before joking: "You get to tell [Senate Armed Services Committee Chairman John McCain] that you're taking cyber away from Armed Services." Gardner playfully noted that McCain had actually co-sponsored the bill, adding with a laugh, "I don't know if he knows the full implication of it."
Sen. Al Franken also used the hearing to highlight the White House's proposal to reduce funding for an Energy Department office that helps coordinate digital security measures with the energy sector. The Trump administrations recently released "skinny budget " indicated the DOE's Office of Electricity Delivery and Energy Reliability would get less money as part of broader cuts to the agency's budget. At Tuesday's hearing, John Di Stasio, president of the Large Public Power Council - whose members include over two dozen of the nation's largest public power systems - said his council had "worked closely with the office ... to develop smart grid and so forth, but also on reliability risks related to cyber."
# # #
CYBERSCOOP: Electric Power Industry Puts Cybersecurity to Forefront with Trump, Lawmakers
March 28, 2017
By Chris Bing
Electric power industry executives are pushing to have their cybersecurity concerns heard by Congress and the Trump administration.
A Senate Energy and Natural Resources Committee hearing on Tuesday — convened to discuss how the government can better coordinate with the private sector on power grid security, incident response and other cyber threat information sharing efforts — is the latest example for how the industry is reaching out to Washington.
Last week, electric power company and trade group representatives also met with top administration officials, including Secretary of Energy Rick Perry and Jeanette Manfra, the acting deputy undersecretary for the Homeland Security Department’s cyber division, Politico first reported. The group spoke about relevant, shared security goals and priorities, and where the government can offer assistance.
Energy companies face substantial risks in cyberspace, experts say, and threats can directly affect physical systems and human life.
John Di Stasio, President of the Large Public Power Council, told lawmakers Tuesday that because cyberthreats aimed at the electric grid evolve so rapidly, the industry typically prefers “flexible” cybersecurity regulations. Di Stasio said that while the government can play an important role in defending U.S. critical infrastructure, he disapproved of Congress rushing out new, potentially constraining compliance standards.
Another topic of significant concern for Tuesday’s four-person panel was the lack of actionable intelligence provided to the electrical power industry by government agencies about hackers.
“We need help getting the information,” Xcel Energy President Ben Fowke III told Cory Gardner, R-Co. “Quite often by the time we hear about a potential threat from the government, we’ve known about it for a long time through private sources or industry communication. And I think the reason for that is that we struggle on taking what could be classified information, declassifying it and getting it out quickly.”
There are some signs in Congress that future legislation may help spur collaborative public-private security research and information sharing programs.
A bill introduced last year by committee member Angus King, I-Maine, named the “Securing Energy Infrastructure Act,” or S. 79, was discussed during the hearing. As it is currently written, the legislation would establish a $10 million pilot program within the Energy Department’s national labs to research new cybersecurity technologies and find security vulnerabilities evident in products used by private energy companies. This vulnerability research would be shared with private sector partners.
“The effort proposed in S. 79 could potentially aid the utility industry, FERC and others to maintain a secure electric grid,” Michael Bardee, Director of the Office of Electric Reliability at the Federal Energy Regulatory Commission, wrote in a prepared testimony for the committee. “Utilities have come to rely increasingly on digital tools for monitoring and operating the Bulk-Power System. These tools have enhanced the efficiency and effectiveness of utility operations significantly.”
Because most critical infrastructure in the U.S. is privately owned, the government must often form partnerships with companies to better monitor and secure industrial control networks. DHS, in this scope, plays a critical role as the defender and support team while the Energy Department helps to drive forward research and changes to policy, standards and regulation, which can improve digital security in the larger energy community writ large.
Developing relations between the electric power industry and U.S. government come in the wake of several known and substantial cyberattacks against industrial control facilities.
Four years ago, Iranian hackers broke into the Bowman Avenue Dam near Rye Brook, New York, using sophisticated malware. The attackers were unable to fully access the dam’s IT systems though investigator believe they could have taken control of the facility’s flood gates, investigator said at the time. DHS’ Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, responded to the incident; helping mitigate damage caused by the intrusion.
“I think one of the great things here is that the federal government stepped in and stopped what could have been something bad from happening,” Rye Brook Mayor Paul Rosenberg told CNN in 2015 after news first broke that hackers were responsible for the Bowman Avenue Dam incident in his town. “We appreciate that, but it makes me wonder about what would be potentially next, and that makes me concerned.”
# # #
POLITICO's Morning Cybersecurity: Mention of John Di Stasio to Testify at Senate Cyber Security Hearing
POLITICO's Morning Cybersecurity
March 28, 2017
By Tim Starks
AND ENERGY SUBCOMMITTEE SLATED TO TALK CYBER: A Senate Energy and Natural Resources Committee subpanel convenes today to discuss S. 79, the Securing Energy Infrastructure Act, a bill Sen. Angus King floated last year that never got a vote. Per our friends at Morning Energy, the bill calls for creating a $10 million pilot program within the Energy Department's national labs to research ways to repel cyber intrusions on systems used to operate energy infrastructure. Witnesses testifying today are Mike Bardee from FERC, Large Public Power Council President John Di Stasio, Thomas Zacharia, a deputy director at Oak Ridge national lab, and Xcel Energy chief Ben Fowke. "S. 79 promotes government-industry partnership in studying evolving vulnerabilities, which may help combat cybersecurity threats," Di Stasio plans to testify, according to his draft remarks. "However, LPPC cautions against provisions that could lead to prescriptive technology solutions."
# # #
POLITICO’s Morning Energy: Mention of John Di Stasio to Testify at Senate Cyber Security Hearing
POLITICO’s Morning Energy
March 28, 2017
By Anthony Adragna
Later on: A subpanel of the Senate Energy and Natural Resources Committee is convening today to discuss S. 79, the Securing Energy Infrastructure Act, a bill Sen. Angus King also floated last year but never got a vote. The bill calls for creating a $10 million pilot program within the Energy Department's national labs focused on researching ways to repel cyberintrusions on control systems used to operate energy infrastructure. Witnesses testifying today are Mike Bardee from FERC, Large Public Power Council President John Di Stasio, Thomas Zacharia, a deputy director at Oak Ridge national lab and Xcel Energy chief Ben Fowke. The hearing starts at 2:15 p.m. in Dirksen 366.
# # #
Senate Holds Hearing on Cybersecurity Threats to US Electric Grid
March 28, 2017
View photo gallery here. (John Di Stasio is featured in photos 1, 5, 7 and 10.)
# # #