View recent news coverage highlighting interviews and quotes from LPPC.
May 9, 2018
By Kevin Randolph
A new program aims to increase involvement and enhance collaboration and information sharing between member utilities of The North American Electric Reliability Corporation (NERC) Electricity Information Sharing and Analysis Center (E-ISAC).
E-ISAC, in partnership with the Large Public Power Council, began an initiative in January called the Industry Augmentation Program, which invites utility staff for multi-day visits to work with E-ISAC personnel.
The Industry Augmentation Program aims to raise awareness of E-ISAC cyber and physical security analysis processes, data protection and the separation from NERC’s compliance functions, provide an avenue for the E-ISAC to receive feedback from industry on tools and communications protocols and strengthen utility security programs and staff expertise.
NERC also said it aims to conduct an exchange program each quarter to E-ISAC members from investor- and publicly owned utilities as well as electric cooperatives and invited interested members to contact E-ISAC for more information.
“This program highlights the benefit of multi-directional information sharing between the E-ISAC and industry,” Bill Lawrence, director of the E-ISAC, said. “Having industry members work closely with E-ISAC personnel improves both organizations’ information sharing processes and gives each organization insight into the needs of the other, which strengthens security efforts across North America. It also builds trust in the safeguards the E-ISAC has in place to protect information shared from members.”
Eight utilities have so far participated in the augmentation program, NERC said in a press release.
To date, participants have included cybersecurity experts from publicly owned utilities and investor-owned utilities. JEA, the Los Angeles Department of Water & Power, the Nebraska Public Power District, the New York Power Authority, the Sacramento Municipal Utility District and Salt River Project are participants from the Large Public Power Council. Consolidated Edison, Inc. and Southern Company are the first two investor-owned utilities to participate in the program.
May 9, 2018
FERC should let RTO stakeholder processes work and not issue broad and costly new mandates, most commenters told the commission in its proceeding on grid resilience (AD18-7).
RTO Insider’s review of more than 60 of the dozens of comments filed ahead of the May 9 deadline indicated widespread support for RTOs’ requests in their initial filings in March for time to discuss the issues with stakeholders, more coordination with natural gas operators and more information on cyber threats. (See RTO Resilience Filings Seek Time, More Gas Coordination.)
But many commenters criticized PJM’s call for setting firm deadlines for rule changes, saying the RTO’s proposals would increase costs without necessarily improving resilience. Several commenters, including Edison Electric Institute and the National Rural Electric Cooperative Association (NRECA), suggested FERC schedule one or more technical conferences on the issue. Numerous commenters called for cost-benefit analyses of any new requirements.
In a joint filing, CAISO, MISO, NYISO, SPP and ISO-NE asked FERC not to impose PJM’s proposals in their regions.
“The record in this proceeding does not support any universal resilience standard or tariff changes requirements to be applied to all RTOs/ISOs. To the contrary, the record demonstrates that RTOs/ISOs have different resilience issues and priorities, and requiring all RTOs/ISOs to follow PJM’s proposed schedule on the issues pertinent to PJM will undermine each RTO/ISO’s efforts to address the specific challenges within its region,” they said. “Thus, the commission should reject PJM’s requests and allow individual RTOs/ISOs to pursue the resilience-related issues and initiatives they have identified in their region through collaborative efforts with their stakeholders and pursuant to the time frames they have established.”
Others, including the Advanced Energy Management Alliance, agreed that RTOs should continue their existing efforts to address their unique challenges. “PJM’s explanation of the need for changes to certain energy and ancillary market rules is helpful to inform the commission as to areas PJM is working on, but PJM cannot ask FERC to require rule changes to be filed in pre-emption of the stakeholder process or development of an evidentiary record that change is necessary.”
After rejecting the Department of Energy’s call for price supports for coal and nuclear generators in January, the commission asked its six jurisdictional RTOs and ISOs to respond to two dozen questions on resilience. This week’s deadline was for responses to the RTOs’ comments.
The comments touched on topics including FERC’s jurisdiction, fuel security, cyber threats and climate change, as well as individual regional issues.
Several commenters raised jurisdictional issues, noting that states, not FERC, have authority over distribution systems where most outages occur. Arizona Public Service said NERC’s reliability standards already address resilience.
“Before taking any additional steps to address resilience, the commission [should] consider the … comprehensive federal, state and industry efforts [that] address all levels of the electric grid and significantly contribute to ensuring” resilience, APS said. The utility criticized proposals it said “are clearly focused upon expanding the role of ISOs and RTOs and are, without understanding efforts at the state level and among utilities commercially, premature.”
The Pennsylvania Public Utility Commission asked FERC to “clearly articulate” its jurisdiction regarding resilience, saying it disagrees with PJM’s assertion that resilience is “‘within the commission’s existing authority with respect to the establishment of just and reasonable rates under the Federal Power Act.’ Therefore, clear and precise justification of FERC’s authority on this matter will be beneficial prior to any initial steps in regulating resilience,” the PUC said.
Entergy also disagreed with PJM’s “overly broad” interpretation of the commission’s jurisdiction.
The Large Public Power Council (LPPC) agreed with commission’s proposed definition of resilience but urged that “to the extent further rules or standards are considered, FERC must be mindful of the statutory limits on its authority,” saying the Federal Power Act does not provide the agency a general grant of authority “to take action on reliability or resilience outside its specific statutory role in the approval and enforcement of standards.”
The LPPC also contended there is “no basis” for applying any rule governing resilience to non-RTO areas, as had been recommended by MISO and PJM. “This is not an issue within FERC’s domain in non-RTO regions, where states and localities maintain authority over generation investment decisions and cost recovery,” the group said.
The Electric Power Supply Association sees it differently. “Resilience must be a priority in all regions of the country, not only those served by independent system operators or regional transmission organizations,” EPSA said. “Therefore, it is important for the commission to extend its inquiry on the holistic examination of resilience to all jurisdictional entities, particularly transmission owners and systems outside of ISOs/RTOs.”
The American Petroleum Institute said PJM’s proposals regarding gas-electric coordination — such as requiring interstate pipelines to offer new transportation services and build new infrastructure — are unnecessary and may be beyond FERC’s jurisdiction under the Natural Gas Act.
LG&E and KU Energy warned FERC against undermining existing state processes, saying its resource planning and transmission and distribution operations are working well, and noting that it is not part of an RTO. In 2017, the utilities said, they attained their lowest forced outage rate since 2004 at 3.46% of its baseload generation.
The Transmission Access Policy Study Group, which represents transmission-dependent utilities, said FERC should give RTO stakeholders time to build consensus on issues within their purview and leave distribution systems to state and local regulators.
PJM’s Transmission Owners Agreement-Administrative Committee said their members need more information from the government on potential cyber threats. “The threat data that resides at, for example, the Department of Energy, Department of Homeland Security, National Security Council and Department of Defense is vital for the RTO/ISOs to have access to for developing and implementing effective protection mechanisms,” they said.
“Therefore, it is essential that the commission develop a process by which PJM may receive verification concerning the reasonableness of vulnerability and threat assessments based on internal government data that has not been made available to RTOs on national security grounds.”
Exelon said FERC, DOE and DHS should participate in the development of modeling scenarios and create a “design-basis threat” to provide a baseline against which RTOs can measure their resilience efforts.
Climate Change’s Role
The Center for Climate and Energy Solutions said that FERC’s scope of grid resilience lacks an acknowledgment of climate change and how it could hinder resilience.
The environmental nonprofit said that although it would prefer FERC order “an economy-wide pricing mechanism” to absorb the economic impacts and even prevent some physical impacts of climate change, it said the commission should at least ensure that wholesale power markets are “internalizing the costs of carbon emissions” through carbon pricing.
Energy Price Formation Resilience PJM Fuel Security
Mobile substation | AEP Texas
The center added that increasing regularity of droughts threatens cooling systems for generating stations and rising temperatures will impede the capacity of bulk transmission lines to transport power. The nonprofit called on FERC to convene a technical conference to explore best practices for an industry coping with global warming.
“Climate science and lived experience show that historical conditions are no longer a reliable predictor of future conditions,” Pacific Gas and Electric said. “As issues arise in the future, PG&E encourages the commission to consider the risks of climate change when making decisions that could affect stakeholders’ ability to make climate-smart investments, or to make other decisions to address climate resilience for the future.”
Numerous commenters cited the certainty of fuel supplies as an essential element of resilience.
NERC said FERC should consider encouraging firm transportation, multiple pipeline connections and dual-fuel capability for gas generators. “Further, the commission could consider requiring that resource adequacy assessments account for potential reliability ramifications associated with the ‘just-in-time’ natural gas fuel delivery model.”
“Fuel security risk is the most important factor to include in the commission’s definition of resilience and in its evaluation of grid resilience generally,” the American Coalition for Clean Coal Electricity said. The American Coal Council said coal generation retirements are a threat because intermittent resources can’t always be counted on.
Basin Electric Power Cooperative said its fossil generating units continue to be affected by markets “that fail to adequately compensate resources” for providing “essential electric service” in the wholesale markets.
The North Dakota co-op called for “equity across all fuel types,” saying the RTOs’ comments did not address the “preferential treatment” wind generation receives. It said a new ramp product, “if structured appropriately,” could reflect the value of stand-by products and provide “sufficient mitigation for assets that must stay online and incur losses” to backfill wind.
The Electricity Consumers Resource Council and industrial energy users warned against using resilience as a pretext for a “bailout” of coal and nuclear plants, adding, “No action to advance resilience can be considered ‘just and reasonable’ if it has not considered the impact to consumers and how to minimize that impact.”
Americans for a Clean Energy Grid, a coalition supporting a “fully electrified” society, noted that this winter’s “bomb cyclone” forced Northeast grid operators to rely on more expensive generation such as coal, oil and dual-fuel units, even while wind output — stranded by transmission constraints — was higher than normal during the weather event. “Thus, while wind power can be more reliable than other resources during extreme winter weather, it is limited by interregional transmission constraints,” the group said.
Role of Capacity Markets
While many commenters, including EPSA and the Natural Gas Supply Association, called for market-based responses to resilience needs, the American Public Power Association and NRECA said mandatory capacity markets are not producing the resource mix needed to provide required resilience attributes. “Rather than relying on the markets, appropriately accommodating state resource policy choices in the mandatory capacity markets likely would help alleviate some of these [resilience] concerns.”
API, in contrast, warned that some of PJM’s proposals “seem to be regressing back toward an integrated resource planning world where picking winners and losers takes precedence over markets and competition.”
Role of Transmission
Many commenters noted that most outages occur on the transmission and distribution system.
ITC Holdings said the bulk power system’s resilience faces “a substantial threat from the ongoing lack of any effective, regular interregional transmission planning processes between many RTOs/ISOs,” citing MISO’s seams with PJM and SPP. “Despite the highly interconnected nature of [the MISO-PJM] seam, and despite a long history of commission exhortation to ensure sufficient coordination between the two regions, no interregional transmission project has ever been planned for or built between these two RTOs. As such, each region is unnecessarily limited in its ability to call on generating resources from the neighboring region to respond to grid emergencies.”
Although the vast majority of customer disruptions occur because of failures of the distribution system and are beyond FERC’s jurisdiction, the commission could aid resilience by integrating distributed energy resources into wholesale markets and revising Order 1000 to increase the use of non-wires solutions to transmission constraints, said a group of environmental and public interest organizations, including the Natural Resources Defense Council and Environmental Defense Fund.
Trade group WIRES said FERC should update Order 890’s transmission planning principles to include resilience as a distinct planning driver for RTOs. “Generation and fuel supply policies offer only a limited hedge against potential disruption. Moreover, while distributed resources are important for rapid recovery, they are of limited long-term capability without the grid’s transfer capabilities,” the association said.
The Energy Storage Association said FERC could enhance resilience through greater storage use, embedding the resource type into transmission planning and encouraging wholesale market participation of distribution-level storage. “Storage decouples the element of time from supply and demand,” the ESA said. “It makes non-dispatchable generators dispatchable; it makes inflexible generators flexible; and it makes inefficient cycling generators more efficient.”
The WATT Coalition, a group of companies that offer technologies to increase the delivery capability of the existing grid, urged FERC to focus on how advanced transmission technologies can improve resilience. “During times of system stress, network topology optimization, dynamic line ratings, and power flow control can help ensure reliable operation,” the group said.
It noted that ISO-NE’s relaxation of transfer limits during this winter’s bomb cyclone allowed it to import an additional 200 MW of generation from NYISO. “When it is cold, cloudy, or windy, lines are cooled, so they can physically deliver more energy without sagging or over-heating,” the coalition said.
Tesla warned against a definition of resilience that focuses on generator availability or transmission. “Distributed energy resources that are co-located with load can continue to provide electric service to customers even in the face of a complete failure of the bulk power system and are best-placed to provide resilience in a wide variety of contingencies impacting the grid,” it said.
PJM Comments Under Scrutiny
PJM’s March filing was the subject of numerous commenters.
“In its zeal to address resilience in its own market, PJM has inappropriately laid out directives and requirements for every other market to follow, according to PJM’s proposed time frames,” EPSA said.
EEI agreed, saying “it may be premature to require all RTOs/ISOs to make specific filings as requested in PJM’s comments.”
David Patton, whose company Potomac Economics provides market monitoring services to MISO, ISO-NE, NYISO and ERCOT, said adopting PJM’s proposal to allow inflexible generators to set clearing prices would have boosted MISO’s system marginal prices by 30%, based on analysis of the 12 months ending in October 2017. (See Critics Slam PJM’s NOPR Alternative as ‘Windfall’.)
“This plan is a fundamental departure from the efficient locational marginal pricing framework that has been the foundation of all successful wholesale markets in the U.S.,” Patton said. “It would, for the first time, introduce fixed costs into real-time pricing that are clearly not marginal in the real-time dispatch horizon. In effect, PJM would be requiring that the average costs of all resources needed to service load be reflected in every five-minute interval.”
Energy Price Formation Resilience PJM Fuel Security
PECO Audubon substation | © RTO Insider
The Pennsylvania PUC said it supported some of PJM’s proposals but feared that some “offered in the name of resilience may shortchange or even bypass normal PJM stakeholder deliberative processes” and warned against giving RTOs “a license to ‘gold-plate’ the generation, transmission and cyber assets of its members to achieve standards of resiliency that are disproportionate to a particular vulnerability or threat assessment.
The regulators said they were concerned over the potential scope and costs of PJM’s proposals. “Some of PJM’s recommendations, especially in the market design arena, appear to utilize the grid resilience docket as another forum to advocate for specific market modifications, such as energy price formation, that are not immediately germane to the resilience discussion,” the PUC said.
It agreed with PJM that FERC may need to “revisit” NERC reliability standards. “However, revision of NERC standards is a complex, time-consuming process that should be allowed to proceed on its own timeline without an accelerated impetus from this docket.”
The PJM Power Providers Group (P3), on the other hand, praised the RTO’s “thoughtful recommendations” for addressing “antiquated energy price formation structures.”
“However, the stakeholder deliberations regarding this issue have been unproductive to date. Commission direction may be required for energy price formation goals to come to fruition as a means to support the commission’s resilience aims,” it said. P3 expressed concern over PJM’s proposal to permit non-market operations during emergencies, saying the commission should require the RTO to submit Tariff revisions to allow the change.
PJM also received support from American Electric Power, Dayton Power and Light and East Kentucky Power Cooperative, which made a joint filing as the PJM Utilities Coalition.
The coalition said it agrees with PJM’s recommendation that all RTOs be required to submit proposed Tariff changes to implement resilience planning criteria and develop processes for the identification of vulnerabilities.
“No meaningful steps towards a resilient system can begin without appropriate direction given by the commission that explicitly grants power to the RTO to establish resilience planning criteria and other aspects of the process,” it said. It also questioned whether the stakeholder process could address the issues. “If PJM reverts to a stakeholder process to determine resilience criteria, the process may get mired in political debates and cost allocation, and not focus on the necessary task of determining objective resilience criteria. For this reason, clear direction from FERC to guide that process is requested.”
PJM also filed reply comments, saying it wanted to provide additional information on its fuel security initiative announced April 30, clarify its proposals regarding gas-electric coordination and “provide context for its approach to this docket relative to the approach taken by certain other RTOs and ISOs.” (See PJM Seeks to Have Market Value Fuel Security.)
The Organization of PJM States Inc. (OPSI) said PJM’s filing did “not address the prudency and affordability of measures that may be implemented as a result of” the RTO’s recommendations, which it said indicate “extensions of its current mandate.”
“While not the stated intent, a future PJM could be positioned to drive transmission planning and craft new market structures in its mandate to address perceived low-probability, high-impact threats,” OPSI said. “The prospect of this expanded authority, with planning and decision-making impacting billions of dollars in investments with cost recovery from end users, may require a re-examination of PJM’s scope, governance and oversight.”
Graph on the left shows how baseload resources recover their fixed commitment costs under current LMP rules. During the peak hours, prices are typically above the resource’s marginal costs; the excess revenues in area B will exceed the amount by which the revenues fail to cover average costs in area A. Under the PJM proposal (right), LMPs would cover the average cost of all baseload resources needed to serve load. | Potomac Economics
Industrial energy users, consumer advocates for Delaware, New Jersey and D.C., and American Municipal Power, filing jointly as PJM Consumer Representatives, said the inconsistencies between the positions of PJM and those of other RTOs indicate the need for regional flexibility.
“Unlike the comments of the other RTOs/ISOs, PJM’s comments embark on an aggressively activist course, advocating positions that could result in substantial changes to PJM energy and capacity market rules, in addition to whatever changes may be necessary in transmission planning and system operations rules,” they said.
They called for a cost-benefit analysis or “prudence assessment” of any new resilience rules and said neither the 2014 polar vortex nor the 2017-2018 cold snap “justify subsidizing uneconomic coal and nuclear units … in the name of resilience.”
FirstEnergy’s regulated utilities called for urgent action, noting they sought voluntary load curtailments during the polar vortex to prevent load shedding for 142,000 customers. FERC should “immediately implement stopgap measures to preserve the operation of generators that contribute to grid resilience until a full evaluation of resilience needs is complete,” the utilities said.
FirstEnergy Solutions, the company’s merchant generation unit, said it “disagrees with the overall thrust of PJM’s comments.” It called for FERC to adopt mandatory resilience standards for RTOs and ISOs and ensure the continued operation of “critical” nuclear and coal-fired generators in the interim.
The Natural Gas Supply Association said PJM’s fuel security initiative “appears to reflect an unsupported bias against natural gas.”
“PJM states that the process of examining fuel risk will be done in a fuel-neutral manner. However, its document describing its process only refers to risks associated with greater reliance on natural gas and the language suggests that PJM has already made an unsupported predetermination that natural gas is a weak link in their ability to be reliable and resilient.”
ISO-NE’s response to FERC’s identified fuel security as its resilience risk. It said potential responses include additional gas pipeline or LNG capacity, relaxing rules on dual-fuel resources and additional investments in renewables and transmission.
The New England Power Pool Participants Committee stressed that resilience solutions be worked out in the stakeholder process, calling it “a prerequisite to yield the solutions that work best for New England.”
The New England States Committee on Electricity shared ISO-NE’s perspective that fuel security presents the primary challenge to the resilience of the region’s power system. NESCOE recommended additional analysis of potential risks and cautioned “against prescriptive actions or further processes” that could impede regional or state efforts to mitigate fuel security challenges.
The New England Power Generators Association said ISO-NE’s Operational Fuel Security Analysis (OFSA) “neither captures market participant behavior in response to price signals nor the probability of any particular outcome … and therefore should not be the basis for the market solutions to be developed and later filed for acceptance with the commission.” (See Report: Fuel Security Key Risk for New England Grid.)
Eversource Energy said ISO-NE’s fuel security study “may understate the magnitude and scope of the challenges.”
“This could lead one to falsely conclude that only minor changes are required, and that commission action may be unneeded at this time. To the contrary, time is not on New England’s side,” the company said.
The company urged the commission to convene a New England-specific technical conference to determine state and federal actions to improve the region’s infrastructure, citing additional gas pipeline capacity from the Marcellus shale deposit and electric transmission to carry Canadian hydropower and on- and offshore wind.
The attorneys general of Massachusetts, Rhode Island and Vermont also cautioned against overreliance on the OFSA, which they said “relies on underlying assumptions that do not present a realistic or complete view of either the present or the future bulk power system.”
“The OFSA presents a deterministic (as opposed to probabilistic) analysis that provides no context about whether modelled events are likely to occur,” they said.
They also said the study’s approach to resilience is overly narrow, failing to consider “cyber and physical adversarial threats, technological accidents, and extreme heat and other weather events.”
The region’s local gas distribution companies recommended FERC “consider expedited review of and decisions on new natural gas pipeline certificate applications in critical fuel security regions.”
NYISO told FERC in March that it does not face “imminent resilience concerns that require immediate action.”
The New York Public Service Commission said it agreed that ISO and stakeholder efforts to address bulk system resilience “are comprehensive and continuous,” asking for no other FERC measures beyond its “continued attention.” The PSC also agreed with the ISO’s suggestion for the commission to host a technical conference on bulk system resilience.
The Independent Power Producers of New York also supported the ISO’s approach and said FERC should not force it to abide by PJM’s suggested deadlines. “Efforts to ensure resilience should not be rushed to meet some arbitrarily short time frame unless they are justified by the evaluation of the ISO/RTO,” the group said.
The New York Transmission Owners also called on the commission to respect regional differences. “Any requirement to change course could impede resilience efforts already underway in the stakeholder process,” they said.
The Organization of MISO States said NERC standards, combined with initiatives from RTOs, state regulators, utilities, municipalities and others were enough to ensure long-term resilience. No additional rules or standards are necessary, the group said, especially those that might impede on state jurisdiction. “It is clear to the OMS that the appropriate processes are already in place to identify and adapt to the evolution of the industry and perceived threats to resilience,” the group said.
The MISO Transmission Owners emphasized that RTOs have only part of the answer to resilience, noting the role of distribution systems.
“MISO and its utility members have developed an integrated electric system that is currently sufficiently resilient, and MISO has identified no imminent resilience crises requiring commission action,” they said. “Notwithstanding MISO’s and its members’ regional efforts, enhancements to interregional coordination will promote greater resilience. Thus, while seams issues are broader than the concept of resilience, MISO is correct that the commission should not ignore the benefits of greater, more effective and efficient interregional cooperation in this proceeding.”
Entergy said it saw no need for a federal role in determining the proper long-term resource mix — “at least in MISO.”
The company called for resource adequacy to “continue to be a shared responsibility in MISO,” with state and local regulators determining the fuel mix.
“In this way, state and local regulators ensure diversity of fuel resources consistent with each area’s needs and those regulated utilities’ customers bear the cost burden and the reliability and resiliency benefits of those local regulators’ decisions,” Entergy said. “Direct federal action to regulate the long-term resource mix also could jeopardize utilities’ continued participation in MISO.”
In a joint filing, the Coalition of MISO Transmission Customers and Illinois Industrial Energy Consumers said that resilience is already central to the RTO’s reliability assessments. “The commission should not carve out resilience and treat it as a discrete characteristic of wholesale electricity markets,” they said, adding that any resilience requirements should be subject to cost-benefit analyses.
Northern Indiana Public Service Co. said that most grid innovation is happening with customer-owned technologies that connect at distribution level, urging FERC to work with state regulators to address resilience “across the entire electric value chain.” The company said that a “top-down, nationally-focused approach could overemphasize one or two parts of the overall electric system” and fail to account for the adoption of storage devices, electric vehicles, microgrids and DERs.
Alliant Energy used its comments to call for modernizing the Public Utility Regulatory Policies Act and criticize qualifying facilities “that haphazardly site themselves on the grid, causing distribution system and system planning issues.” Alliant said PURPA must be reworked to incent QF developers to concentrate on “system reliability and long-term grid stability.”
SPP’s Market Monitoring Unit emphasized the importance of creating standards and metrics to quantify and measure resilience.
“We recommend that in addition to defining resiliency, the commission and the parties should also engage in discussions to measure resiliency in order to assess whether an area has or has not attained resiliency. This measurement may also contribute in creating new market mechanisms to promote resiliency,” the Monitor said.
It pointed to SPP’s 30 to 36% capacity margins over peak needs but said that those high levels do not necessarily equate to resilience.
The MMU also said the resilience discussion should not be used “as a venue to promote certain price formation proposals.”
The California Public Utilities Commission said the state “has made substantial efforts to ensure grid reliability and resiliency by ensuring redundancy and coordination in its energy planning efforts,” citing the deployment of distributed energy resources and smart inverters.
It also noted the state “continues to aggressively plan for a changing climate to ensure Californians have safe, affordable and reliable access to electricity.”
Nevada Hydro, which develops pump storage projects, said CAISO’s transmission planning process has fallen short in properly valuing hydropower. CAISO’s “transmission economic assessment method (TEAM) has not fully applied the method to storage projects and has not quantified the grid reliability and resiliency benefits of the projects it has examined,” the company said. It said FERC should direct RTOs to include pumped storage hydro in transmission studies and resource adequacy planning.
Southern California Edison said FERC should consider regional differences and costs. It said it shares CAISO’s view that FERC’s proposed definition of resilience is lacking.
It said the use of the term “‘disruptive events” is indistinguishable from “‘contingencies,’ which, per NERC reliability standards, refers to unexpected failures or outages of a [Bulk Electric System] component.”
May 9, 2018
By Tim Starks
HILL GETS BUSY — Three separate committees are taking action on cybersecurity-related legislation today across both sides of the Hill. Perhaps the most significant among the bunch is a House Foreign Affairs markup of legislation that would establish a bug bounty program at the State Department, following the widely regarded success of similar initiatives across the Pentagon and at the IRS. The legislation (H.R. 5433) also mirrors efforts in Congress to expand such programs, like the push to create one at DHS (S. 1281) that passed the Senate last month.
The House Energy and Commerce Committee, meanwhile, is scheduled to consider a handful of cybersecurity bills. One (H.R. 5175) would direct the Energy Department to initiate a program to protect the physical security and cybersecurity of pipelines and liquefied natural gas facilities. A second (H.R. 5239) would create a voluntary DOE program to test the cybersecurity of products intended for use in the bulk-power system. A third (H.R. 5240) would seek to strengthen public-private partnerships on cyber. And the fourth (H.R. 5174) would make explicit that Energy Department leaders are responsible for cyber and other emergency response functions.
Later in the day, a House Appropriations subcommittee will mark up draft legislation that would provide fiscal 2019 funding for agencies including Commerce and Justice. The Commerce Department, home of the technical standards agency NIST, has a big cybersecurity role, while the Justice Department houses operations devoted to prosecuting cybercrime.
HAPPY WEDNESDAY and welcome to Morning Cybersecurity! Sure, because what the world needs is a new generation of super-spiders, jumping all over the place at the command of evil dictators wielding them as a spooky army. Send your thoughts, feedback and especially tips to email@example.com, and be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
TODAY: SOFTWARE, POWER INDUSTRY OFFICIALS VISIT CONGRESS — BSA | The Software Alliance is flying representatives of member companies such as Microsoft, IBM and Trend Micro into Washington to discuss cybersecurity and other items on its agenda. The cybersecurity component includes advocating for bolstering the workforce and explaining how artificial intelligence can defend computer networks. BSA has set up meetings with a range of cyber-savvy lawmaker offices, like Reps. Will Hurd and Adam Schiff and Sen. Cory Gardner, as well as House Minority Leader Nancy Pelosi.
Members of the Large Public Power Council, a utility group, will also visit lawmakers today. Representatives will meet to discuss cybersecurity with members and staffers of the House and Senate Homeland Security panels as well as the House Intelligence and Energy and Commerce committees. In addition to the group’s president, John Di Stasio, and regional power authority representatives, the council is bringing in technical cyber experts.
WAITING FOR THE NEXT SHOE TO DROP — Iran must stop hacking the U.S. and its allies, the administration said Tuesday after President Donald Trump announced a withdrawal from the Iran nuclear deal. A White House statement said Trump was “making clear that, in addition to never developing a nuclear weapon, the Iranian regime must … end its cyberattacks against the United States and our allies, including Israel.” In recent years, Tehran has deployed its hackers to disrupt the oil giant Saudi Aramco as well as to steal trade secrets and research from universities in the U.S., Israel and many other countries. Senate Majority Leader Mitch McConnell voiced support Tuesday for Trump’s holistic approach to the Iranian threat, saying in a statement that Tehran’s “malign behavior across the broader Middle East,” including its “use of cyberattacks,” should be “addressed in a wider regional effort.”
Cyber experts will be watching to see if Iranian hackers step up their attacks on U.S. targets. As Eric reported recently, threat intelligence researchers are concerned this will happen. Priscilla Moriuchi, director of strategic threat development at Recorded Future and former head of the NSA’s East Asia and Pacific cyber threats office, said her company expects U.S. financial and energy sector firms to face aggressive attacks from Iran “within months, if not sooner.”
FRESH STATS — Cyber crime cost Americans approximately $1.42 billion in 2017, according to a report from the FBI’s Internet Crime Complaint Center published Tuesday. The FBI center receives nearly 300,000 complaints each year, according to the report. Payment scams, data breaches and phishing attacks topped the list of crimes, with identity theft and business email compromises also making the top 10. Ultimately, business email compromise schemes led to the most losses, with $676 million, compared with romantic scams and other trickery coming in second and payment scams ranking third. Data breaches came in fifth, accounting for $77 million in losses. The states with the most reported victims and the highest losses are also among the largest: California, Texas, Florida, New York and Pennsylvania.
PAYING THE PRICE — DHS Secretary Kirstjen Nielsen told senators Tuesday that her department was pretty far along in ensuring that federal agency contractors are removing Moscow-based Kaspersky Lab software from their systems. DHS issued the directive, which Kaspersky is fighting in court, amid security fears last year.
“For many of the third party providers, they weren't even aware they had Kaspersky on their systems and within their products,” Nielsen told the Senate Appropriations Homeland Security Subcommittee. She said DHS was looking at ways to establish consequences for anyone who doesn’t pull the products. For its part, DHS is also looking at ways it can, under existing powers, “pause and turn off contracts” when there’s a concern like Kaspersky software or a data breach.
At the same hearing, Nielsen said DHS plans to host an election security briefing to talk about what it’s doing to safeguard state and local election administrators via voluntary assistance. When Sen. Jon Tester asked what happens when states resist DHS’ voluntary aid, Nielsen said that one of the goals of the briefing was getting lawmakers to “help us message to the state and local officials what they need to do to secure the elections.”
FROM INDEPENDENCE AVENUE TO MAIN STREET — The House approved legislation Tuesday meant to improve cybersecurity assistance offered through small-business development centers, which are Small Business Administration-backed centers that provide technical support. Under the bill (H.R. 3170), the Small Business Administration would be required to develop a cyber counseling certification program to help center employees provide advice to small business owners. The measure passed by voice vote.
RECENTLY ON PRO CYBERSECURITY — The Senate Intelligence Committee finalized its election security report with new findings and recommendations. … Georgia’s governor vetoed a hacking bill that cybersecurity experts warned would cause more digital threats. … Russia hackers waged a campaign of digital threats under the guise of the Islamic State. … Facebook unveiled another effort to combat Russian methods of election interference. … House Republicans believe Trump will override the Justice Department's refusal to turn over documents.
TWEET OF THE DAY — I think the pasta is hacking back, probably?
— Nearly 75 percent of organizations were probably or definitely hacked or experienced a data breach within the last year due to a compromised application, according to a new report from Arxan. The company surveyed around 1,400 IT firms across the U.S., EU and Asia.
PEOPLE ON THE MOVE
— New Jersey’s former chief technology officer and first cybersecurity adviser, Dave Weinstein, has joined cybersecurity firm Claroty as its vice president of threat research, the company announced Tuesday.
— The New York Times looks at how West Virginia is trying to protect its elections from hackers.
— House Intelligence Chairman Devin Nunes is feuding with the Justice Department over information involving a source who aided special counsel Robert Mueller’s Russia probe. The Washington Post
— “No, Apple is not making it harder for cops to hack iPhones.” CyberScoop
— The Trump administration’s rescission package would pull back funding for two technology loan programs. Nextgov
— A popular Android app left user information exposed. Motherboard
— A look at the new NSA/Cyber Command cyber warfare center from CyberScoop.
— “Study: Attack on KrebsOnSecurity Cost IoT Device Owners $323K”
— The former WikiLeaks fan who made public some unflattering internal messages explained why. Daily Beast
— Joy Reid's cybersecurity expert once wasted the FBI's time with an investigation that went nowhere, a source told Buzzfeed.
— Iran's cyber police warned about terrorist groups plotting in cyberspace. Fars News Agency
— Alaska officials say hackers broke into the state’s election system a little in 2016, but didn’t do any damage. Anchorage Daily News
— Twitter might be testing encrypted direct messages. Gizmodo
— Federal agency IT specialists are getting older. Nextgov
That’s all for today. Although maybe jumping spiders aren’t that scary if they can get shooed away just by holding your arms out.
May 5, 2018
By Marianne Levine and Theordoric Meyer
FLY-IN: Members of the Large Public Power Council are hitting up the Hill today to talk about cybersecurity issues. Among the lawmakers they will meet with are Reps. Joaquín Castro (D-Texas), Markwayne Mullin (R-Okla.) and Will Hurd (R-Texas).
FLY-IN: Members of the American Public Health Association held a fly-in Tuesday to call for more public health funding. The offices they met with included those of Reps. Bob Brady (D-Pa.), Dwight Evans (D-Pa.), Lamar Smith (R-Texas), Andy Barr (R-Ky.) and Sens. Bob Casey (D-Pa.), John Cornyn (R-Texas), Ted Cruz (R-Texas), Mitch McConnell (R-Ky.), Joe Donnelly (D-Ind.), Todd Young (R-Ind.), Elizabeth Warren (D-Mass.) and Marco Rubio (R-Fla.).
SPOTTED: At the Nelson Mullins Annual Rooftop Gala atop its offices last night, according to a PI tipster: Sens. Ed Markey (D-Mass.), Tim Scott (R-S.C.), Sheldon Whitehouse (D-R.I.), Chris Coons (D-Del.) and Chris Murphy (D-Conn.); and Reps. Trey Gowdy (R-S.C.), Mark Sanford (R-S.C.), Tom Rice (R-S.C.), Jim Clyburn (D-S.C.), Mike Capuano (D-Mass.), Joe Kennedy (D-Mass.), Virginia Foxx (R-N.C.), Richard Neal (D-Mass.), Stephen Lynch (D-Mass.) and Joe Wilson (R-S.C.).
SPOTTED: At the Games For Impact event hosted by the Entertainment Software Association on Capitol Hill last night, according to a PI tipster: Reps. Ryan Costello (R-Pa.), Doug Collins (R-Ga.), Bradley Byrne (R-Ala.), Jim Costa (D-Calif.), David Cicilline (D-R.I.), Bill Foster (D-Ill.), Will Hurd (R-Texas) and Hank Johnson (D-Ga.).
SPOTTED: At the Rivers of Recovery seventh annual congressional reception last night, according to a PI tipster: Reps. Martha Roby (R-Ala.), Jeff Duncan (R.S.C.), Duncan Hunter (R-Calif.), Sam Graves (R-Mo.) and Steven Palazzo (R-Miss.); Gen. George Joulwan; Liz Williams of Williams & Company; Sam Whitfield of the Consumers Bankers Association; Jeff Hogg of RAI Services; Zach Hartman of Anheuser-Busch; Hayden Rogers and Scott Eckart of Emergent Strategies; and others.
March 29, 2018
By Gino Harel and Catherine Varge of Survey
In December 2015, some 225,000 households were deprived of electricity in Ukraine. A year later, it was the turn of a part of the capital, Kiev, to be plunged into darkness. These two failures are far from trivial: they were caused by acts of hacking.
"In Ukraine, I think it was a clear signal in the industry," says Johanne Duhaime, Vice President of Information Technologies and Communications at Hydro-Québec.
For several years now, Hydro-Québec has been relying on a team to provide a cybersecurity watch. Events in Ukraine prompted the company to raise its defense measures.
"We have started to put plans in place to increase our monitoring center, to 24/7 [...] accelerate the modernization of our infrastructure to protect us more," said Ms. Duhaime.
Behind the 2015 operation in Ukraine, cybersecurity experts have identified a family of malware called BlackEnergy, unable to trace the perpetrators. The 2016 attack was also researched by computer security experts. ESET has determined that this attack was carried out using a new software called Industroyer able to remotely control industrial control systems of electrical infrastructure.
Hydro-Québec's experts have to deal with hundreds of incidents related to computer security every year. Attempts to intrude by sending malicious emails, for example, occur regularly
Hydro-Québec also conducts tests with its employees, using trapped messages. People are caught, admits Johanne Duhaime, but their number is decreasing.
"We do a lot of work on human behavior and education [...] People tend to call and say," I got an email, he's suspicious, is that okay? " ", she says.
It could also happen that an employee inserts a personal USB key into a company computer, which can also pose a risk.
Hydro-Québec assures that it has not experienced cyberintrusion in its systems.
Johanne Duhaime said that her team pays particular attention to Internet traffic from certain countries, such as Ukraine, Russia or Korea. "When there are elements where we see that there are IP addresses that come from these countries, we tend to be more vigilant [...] We will rather be more proactive and perhaps block the source of these requests at source, "she says.
It happens less than 10 times a year, she says.
One billion threats
During a testimony before the Standing Committee on Public Safety and National Security, on March 22, in Ottawa, the head of the Communications Security Establishment Canada (CSE) revealed the extent of cybersecurity challenges that her agency faces.
"We are now blocking more than a billion malicious attacks aimed at compromising government systems, on average every day," said Greta Bossenmaier, head of the CST.
These numerous incidents target Government of Canada networks and range from a simple reconnaissance exercise to check for vulnerabilities in systems to actual attempts to exploit vulnerabilities, or to install malware.
The last federal budget provides $ 507 million for dedicated measures over the next five years, including the creation of a Canadian Cyber Security Center. Ottawa is also scheduled to announce its new national cyber security strategy in the near future.
Last fall, the cybersecurity company Symantec revealed the presence of other malicious software in computers of power companies in the United States. The group identified behind these intrusions is called Dragonfly.
The FBI and the US Department of Homeland Security confirm they have identified victims of cyberintrusions in the energy field, including the nuclear sector. Hackers have also been able to penetrate aviation, water and other manufacturing networks.
According to Symantec, Dragonfly's phishing emails were also spotted at three organizations in Canada, but it was not possible to confirm any intrusions.
In the United States, the operation would have allowed the attackers to break through networks of small commercial facilities, including targeted infected emails. Their long-term goal would be to use these smaller networks to reach larger targets. They have already managed to position themselves to carry out sabotage activities, believe the experts.
"For the past two years, we have seen our opponents become more interested in the ways of harming [our] systems. Their techniques have developed, "says the head of cybersecurity at the Department of Homeland Security, Jeanette Manfra.
Ms. Manfra manages a team located in an office building in downtown Arlington, Virginia. It has an operational center at the heart of computer security throughout the United States: the National Center for Cyber Security and Communications Integration.
"The operations center is analyzing cyber incidents that are reported daily by various government agencies and private sector companies in the United States," she says.
Ms. Manfra estimates that the number of incidents reported to her center is 10,000 in the last three months alone.
There is an exponential growth in the number of devices and organizations whose networks are connected to the Internet. It creates a lot of vulnerability that criminals seek to exploit.
On March 15, the United States announced a new series of sanctions against Russia, accusing the country of having taken two forms of cyber-interference in the United States. Attempts to destabilize the electoral process in 2016 ... and computer attacks on critical infrastructures. According to Russian news agencies, Moscow considers these accusations unfounded and is now preparing its own retaliatory measures in response to the sanctions.
Hydro-Québec is reassuring
Even though Internet-connected devices are constantly growing in number, Hydro-Québec recalls that it has a peculiarity that other electric companies do not have to prevent hacker attacks on these systems: it has its own own telecommunications network to support its electrical mission.
The risks of intrusion are lower, are almost zero, because it's just us who are on the network [...] We control our entire environment.
Johanne Duhaime, Vice President of Information Technologies and Communications, Hydro-Québec
"We are in a good position," adds Ms. Duhaime. That does not mean that we are safe and that there is zero risk [...] In cybersecurity, we must never say that we are at zero risk. "
While the energy sector in the United States is clearly in the spotlight of hackers, industry representatives point out that power grid operators have standards to meet, even in terms of cybersecurity. They are established by the North American Electric Reliability Corporation (NERC). Hydro-Québec is subject to it.
The US electricity sector is made up of a multitude of private companies, but also more than 2000 utilities that produce or distribute electricity in markets of small or large size.
John Di Stasio is the president of an organization that brings together the 26 largest public utilities in the United States. According to him, the standards in place would probably have prevented the kind of breakdowns that occurred following the cyberattacks in Ukraine in 2015 and 2016.
"Our standards require us to provide multiple layers of protection that did not exist in Ukraine," he says.
In this game of cat and mouse between cyberassailers and cyberdefenders of power grids, Mr. Di Stasio believes that the industry has made some progress.
I think we have gained ground. However, we can not predict what lies ahead or what the nature of the threats will be or what they will target.
"These threats are evolving and all we can do is remain vigilant and continue to do the things that work to defend us from known threats," concludes Di Stasio.
POWER MARKETS: Groups Unite to Lobby FERC on Reforms
March 7, 2018
By Rod Kuckro
A broad coalition of 10 organizations not usually on the same page when it comes to electricity policy are asking federal regulators to apply five principles to any changes in the rules governing wholesale power markets.
Their common concerns were spelled out in a March 5 letter to the Federal Energy Regulatory Commission.
The letter said this is the time for FERC "to provide a clear vision for how it can best support, rather than interfere with, market-based mechanisms and healthy competition."
The letter from the 10 groups is intended to address the FERC inquiry into resilience as well as a FERC docket opened last year on the intersection of markets and state policies.
"The kettle is getting closer to boiling in terms of FERC taking another raft of actions involving issues around state policies and federal market design," said John Moore, senior attorney with the Natural Resources Defense Council (NRDC) who also signed the letter.
"So we wanted to put together a set of principles well before the pot actually boils and make sure everyone's aware of the new reality," Moore said in an interview. The group is concerned, he said, that "RTOs are not catching up to the new reality of the transforming grid."
The letter was signed by the American Council on Renewable Energy, American Public Power Association (APPA), American Wind Energy Association, Electricity Consumers Resource Council, Large Public Power Council, National Association of State Utility Consumer Advocates, NRECA, NRDC, Solar Energy Industries Association and Transmission Access Policy Study Group.
March 4, 2018
By Aaron Gregg
CSS of Fairfax appointed Joe Craver chief executive.
National Conference Center of Leesburg appointed Terrence Luther senior sales manager.
Quinn Evans Architects of the District appointed Alyson Steele executive vice president and chief design officer.
Sandy Spring Builders of Bethesda appointed Brian Abramson partner.
ASSOCIATIONS AND NONPROFITS
American Diabetes Association of Arlington appointed John Agos chief strategic development officer.
Large Public Power Council of the District appointed Pat Pope president and chief executive.
McCain Institute for International Leadership of the District appointed Rachel Spera program manager for leadership and education.
Mortgage Bankers Association of the District appointed Deborah Dubois president of the MBA Opens Doors Foundation.
Plastics Industry Association of the District appointed Shannon Crawford director of state government affairs.
LAW AND LOBBYING
Barnes & Thornburg of the District appointed Michael Hordell of counsel in the corporate department and federal contracting, procurement and national security practice group.
Cozen O’Connor of the District appointed Lynnette Espy-Williams chief diversity officer.
Greenberg Traurig of the District appointed Cyril Brennan and Emily Naughton shareholders and Theresa Queen of counsel.
Latham & Watkins of the District appointed Jamie Underwood partner and Susan Engel counsel.
Morgan Lewis of the District appointed Philip Miscimarra partner.
Thompson & Coburn of the District appointed Geoffrey Coll and Edward Gray partners.
Wilson Sonsini Goodrich & Rosati of the District appointed Joshua Gruenspecht of counsel in the firm’s national security regulatory practice.
Politico Afternoon Energy: NPPD Chairman and CEO Pat Pope Will Join LPPC As New Chairman
NPPD Chairman and CEO Pat Pope Will Join LPPC As New Chairman
February 22, 2018
By Caitlin Oprysko
MOVER, SHAKER: Nebraska Public Power District Chairman and CEO Pat Pope will join the Large Public Power Council as its new chairman. Pope will help oversee the coalition of the 26 largest consumer-owned U.S. utility companies for the next two years, replacing current Chairman Mark Bonsall, LPPC announced.
February 22, 2018
By Theodoric Meyer and Marianne Levine
— Keosha Varela has joined InterAction as communications director. She was previously a vice president at 270 Strategies.
— Kate Belinski, a lawyer who advises clients on campaign finance, lobbying and other government ethics issues at Nossaman, has been elected equity partner.
— DCI Group had added Kim McIntyre as a national media strategist/booker. She was previously assistant director of broadcast services at The Heritage Foundation.
— The Large Public Power Council has tapped Pat Pope, the president and chief executive of the Nebraska Public Power District, as its next chairman.
Public Power Daily: NYPA, SRP Cyber Experts Get Window Into How E-ISAC Handles Data
February 21, 2018
By Jeannine Anderson
Two cyber security experts – one from the East, one from the West – came to Washington, D.C., in late January to spend a week at the headquarters of the Electricity Information Sharing and Analysis Center, or E-ISAC. The two took part in a new pilot program to help utilities get to know the E-ISAC better and to give the agency feedback on how to better inform the U.S. electricity industry about cyber and physical attacks.
In interviews, these two utility officials – Jeff Staten, senior cyber security analyst with the New York Power Authority, based in White Plains, New York, and Nick Giaimo, principal security analyst with the Salt River Project near Phoenix, Arizona – talked about what the week at E-ISAC was like and discussed some of the initial lessons learned from the pilot project, called the E-ISAC Industry Augmentation Program.
In separate interviews, others involved with the project talked about how the idea for it came about and explained how participation in the program – which is currently limited to members of the Large Public Power Council (LPPC) – could be expanded later this year to include investor-owned utilities, public power utilities, and rural electric cooperatives. The second round of the pilot project is scheduled for late February into early March, and a third round is scheduled for late April into early May.
Intel from utilities is key
The E-ISAC staff “have connections to threat intelligence that folks in the industry don’t have,” and do a good job of analyzing that information, NYPA’s Staten said in a Jan. 29 interview. But it also is very important for the E-ISAC to receive pertinent information from the electric utility industry, he said.
“The more information they get, the better the analysis,” Staten said.
“If you don’t share information, you don’t get analysis,” he said. “If you don’t get analysis, you don’t get the bigger picture.” And utilities who report information to the E-ISAC can take advantage of the agency’s ability to synthesize and analyze data, he noted.
Both NYPA’s Staten and SRP’s Giaimo said that one of the initial lessons learned from the first week of the pilot program is that working alongside the E-ISAC staff, and getting to know the agency’s work processes, helps build trust between the ISAC and the electricity industry.
The E-ISAC is operated by the North American Electric Reliability Corporation, which sets mandatory reliability standards for the U.S. electric utility industry. Its offices are at NERC’s headquarters in Washington, but are physically separate from the rest of NERC, and E-ISAC staffers sign a code of conduct preventing them from disclosing any confidential information to others at NERC.
‘Firewall’ separates E-ISAC from rest of NERC
Staten said that, among other things, spending the week at the E-ISAC offices showed him and Giaimo that the ISAC is a separate organization, with a separate budget and office space that is walled off from the rest of NERC and is accessible only to E-ISAC staff.
“We observed a great sensitivity” by E-ISAC staff about “where the firewall is between the E-ISAC and NERC,” said Staten. There is “a clear boundary between E-ISAC and NERC.”
The E-ISAC is very careful about how it handles information that it gets from utilities, he added.
As an example, Staten said, “Say a phishing email is sent to a CEO,” and the utility reports this to the E-ISAC. The agency’s staffers “keep that information anonymous,” he said. “They sanitize it to make sure that the source of the information is not going to be revealed.”
The NYPA official noted that before spending the week with E-ISAC, he was aware of its watch floor and analysis team, but did not know about the full extent of the publications, workshops and other educational materials the E-ISAC produces. Those include daily, weekly and monthly reports, as well as special alerts and bulletins. The E-ISAC also takes part in and facilitates public and private sector participation in GridEx, the major NERC exercise held every other year; and its annual grid security conference, GridSecCon.
E-ISAC wants feedback from utilities
Staten emphasized that those who work at the E-ISAC are very eager to get feedback from the electric industry on what they do and want to know how they can improve.
“They were very solicitous of criticism – everybody was very open,” he said.
Asked for any advice he might give to others in the utility industry who are interested in taking part in the Industry Augmentation Program, Staten said that anyone presented with the opportunity to be in this type of exchange program should take advantage of it.
“Do it,” he said. “You’re going to learn so much.”
The Industry Augmentation Program encourages “better communication between the industry and the E-ISAC,” said the SRP’s Giaimo. The E-ISAC “is trying to look at various ways they can raise awareness of their role and increase engagement with industry,” he said in a Jan. 30 interview.
He and Staten “gave feedback as to which [of the E-ISAC’s] products we were aware of or were not aware of,” Giaimo said.
The face-to-face exchange made possible by the week at the E-ISAC’s headquarters was “extremely beneficial,” he said.
Getting to know E-ISAC – and each other
“Getting to know each other, examining their processes and tools, and giving them a glimpse into our processes” meant that he and Staten came away with a more detailed understanding of what goes on at the E-ISAC, said Giaimo. In turn, the E-ISAC staff gained a better understanding of how grid security operations take place at the utilities where the two industry participants work.
It also was a good opportunity for him and Staten to talk shop, he said.
“Jeff and I had numerous conversations about things going on in our organizations,” Giaimo said. “There is a lot of value in having that kind of community within the industry.”
The agency’s watch floor resembles a security operations center, with monitors on the walls, said the SRP official.
“It was helpful to see what their process looks like – see how they follow up with industry,” he said.
Asked whether he too would recommend the program to others in the electricity industry, he said, “I certainly would.”
These days, Giaimo observed, attackers “are becoming more highly organized, more well-funded.”
“Essentially anyone who has a presence on the Internet is going to be exposed to these types of threats,” he noted. “Then there are people who are interested in our sector specifically.
When asked why people want to attack utility systems, he said such efforts can be motivated by different factors. There could be a financial reason for trying to extract customers’ data, or for gaining access to a utility’s network and then using it in various ways – for example, for cryptocurrency mining. A nation-state may want to obtain sensitive information about utility or grid operations that could be used later. People sometimes hack systems just to see if they can do it, as well, and sometimes there are “crimes of opportunity,” he said.
Whatever the reasons behind the attempted incursions, the E-ISAC helps utilities guard against them by uniting people within the electric utility sector, Giaimo said: “We’re better together.”
‘Trust is the cornerstone’
The Industry Augmentation Program pilot “is something we’ve been wanting to do for quite some time,” said Steve Herrin, the E-ISAC’s director of operations. It is “vital to get face-to-face feedback from the industry on how the E-ISAC operates,” he said in a Feb. 2 interview.
Asked about the preliminary lessons learned, and the role of trust in the relationship between the E-ISAC and utilities, Herrin said, “Trust is the cornerstone of the information-sharing concept.”
Without trust, he added, “no one wants to share anything.”
When someone from a utility shares its information with the E-ISAC, the E-ISAC is extremely careful what it does with that information, he said.
“We handle the information based on how the participants want us to,” Herrin said. The sharing of information is limited using a system of traffic light protocols, or TLP – a color code for the information. The utility – or whoever is sharing something with the E-ISAC – decides what TLP rating will apply to the information.
In the first week of the Industry Augmentation Program, the participants from NYPA and SRP “were really able to grasp how much the E-ISAC is a trusted source for quality analysis,” and for the rapid sharing of possible threat information, he said.
The E-ISAC “is very interested in getting feedback, to make their processes work better,” said Michael Fish, a Salt River Project official and a member of the Industry Augmentation Program Working Group, in a Feb. 1 interview. The working group is part of the LPPC’s Cyber Security Task Force, which helped create the IAP pilot program.
Fish, who is senior director of Enterprise Cyber Security at SRP, said the first week of the pilot project, held at E-ISAC’s offices Jan. 22-26, went very well.
“I think it was very successful,” Fish said. Some refinements may be made to the program in the coming weeks and months, he said, but so far, so good.
“I think we’re off and running,” he said.
The second round of the pilot project will take place the week of Feb. 25, with LPPC participants from the Nebraska Public Power District and the New York Power Authority. The third and last round of the pilot program is scheduled for the week of April 29, with LPPC participants from the Sacramento Municipal Utility District in California and JEA in Jacksonville, Florida.
E-ISAC had the idea; LPPC made it happen
The goal of the pilot program is “to provide the industry participants with a first-hand appreciation of the E-ISAC’s work processes and practices,” including its relationships with government agencies and other ISACs that have been created to protect critical infrastructure, notes the draft E-ISAC Industry Augmentation Program Manual for Pilot with the Large Public Power Council. Another objective of the pilot is “ultimately making the program available to the entire industry,” says the draft manual, which is being updated based on feedback from the pilot program.
The idea is for the electric utility industry to collaborate more with the E-ISAC and others “to raise our collective cyber security posture,” said Randy Crissman, senior consultant-utility operations with the New York Power Authority, who helped organize the pilot program on behalf of the LPPC and the E-ISAC.
Crissman said the idea for the pilot program came a couple of years ago, when he attended a presentation made by Marcus Sachs, the former NERC chief security officer who left the organization in November. Sachs mentioned the idea of a program that would bring utility people to the E-ISAC’s watch floor. The watch floor handles incoming information from utilities and others about possible incursions or other threats.
The idea was that the utility people, if they came to the E-ISAC, could help provide feedback on how well E-ISAC processes and products – such as bulletins, alerts and daily reports – were working from the point of view of the industry participants. At the same time, the E-ISAC could learn first-hand from the industry participants details about how their utilities’ cybersecurity programs are put together.
When the LPPC’s Cyber Security Task Force became aware of the E-ISAC’s desire for a pilot program that would make such an exchange possible, the task force began pursuing such a program, and formed the Industry Augmentation Program Working Group to work through the details.
Crissman did much of the ground work, setting up conference calls with LPPC and E-ISAC officials.
The objective was to help the E-ISAC pilot the program “and work out the kinks,” Crissman said in a Jan. 31 interview. The LPPC would help to create an experimental program at the E-ISAC which, if successful, would become a permanent, self-sustaining program that then would be opened up to the rest of the electricity industry.
Electricity is ‘built into everything’
Electricity “has made its way into the U.S. culture, and is as important as food or water,” said Kenneth Carnes, the New York Power Authority’s vice president and chief information security officer, in a Jan. 31 interview. Electric power is now essential and is “built into everything,” he said.
Carnes, who is a member of the LPPC’s Cyber Security Task Force, was in Washington, D.C. to help launch the program the week of Jan. 22.
He called the Industry Augmentation Program “a big win for both sides of the table” – the utility people who take part, and the E-ISAC staff – and added that the E-ISAC has been very supportive of it.
“I’m hoping we can continue” the program once the pilot stage is over, and possibly “use this as a model for any other ISACs” who might be interested, Carnes said.
He said the pilot program is a credit to the public power sector, which “has a strong history of collaboration.”
Pilot program dovetails with strategic plan
The Industry Augmentation Program “is one of the tools in our toolbox that we’ve been very thankful for, with Randy Crissman’s leadership,” said Bill Lawrence, director of the E-ISAC. The pilot program also fits well with the E-ISAC’s five-year strategic plan, which focuses on continuously improving information sharing, analysis, and engagement, he said, adding that the E-ISAC is currently recruiting for several new job openings, including more cyber and physical security analysts, and a director of engagement.
The industry has a vested interest in the E-ISAC and wants it to be a world class organization. SRP’s Fish is also the public power representative on the E-ISAC member executive committee that provides strategic leadership and direction to help guide the future of the E-ISAC.
For the industry participants coming to Washington, the new program “beefs up trust in the area of information sharing,” he said. “We show them how we go through the information-sharing process.”
The information is shared using the traffic light protocol, or TLP. If a utility tells the E-ISAC something, the utility can designate that information as TLP red, amber, green or white. If it’s TLP red, it must be tightly restricted – not shared even among E-ISAC officials.
If the information is designated as TLP amber, it can’t go outside the E-ISAC’s walls. If it’s TLP green, the E-ISAC can share the information with others who it believes have a reason to have this information. TLP white means the information is public.
The E-ISAC takes this system “extremely seriously,” said Lawrence, adding that the E-ISAC works hard to build trust with information providers while protecting their identities. The E-ISAC, he noted, also readily accepts information that is shared anonymously.
Industry ‘has done a good job of defending itself’
Despite the proliferation of potential threats, “we are not one click away from the whole grid going dark,” Lawrence said.
“Once you start looking at taking down a major utility, then the next one,” and then the one after that, “it rapidly becomes a very challenging problem,” he explained, adding that this is due, in part, to the reliability standards set by NERC.
Asked about the possibility of an electromagnetic pulse attack (EMP), he noted that the Department of Defense is capable of doing something about such a scenario, and said several utilities are stockpiling large transformers in EMP-shielded facilities.
“We consider all threats,’ he said. “As scary as it looks out there, I think the industry has done a very good job of defending itself.”
Asked about the issue of trust, he said, “I’ve seen a shift in the willingness to trust us.”
Lawrence pointed out that the E-ISAC, though housed at NERC’s headquarters, is physically separate from the rest of NERC.
“We also have a code of conduct that prevents us from sharing any of our analysis,’ he said. No identifying information about a utility can be shared with anyone doing work on enforcement of NERC’s reliability standards. The text of the code of conduct can be found at www.nerc.com.
A new portal, a growing staff
Lawrence pointed out that the E-ISAC introduced a new, upgraded portal in December, and said, “we’re trying to build up stakeholder use of the portal.” He also noted that the E-ISAC staff is expanding: it stands at 25 now and is set to grow to 52 in the next five years.
The portal is a secured site that is open to owners and operators of electric utility assets in the U.S., Canada and parts of Mexico. Although the E-ISAC is part of NERC, all utilities can sign up for notifications from E-ISAC – they do not have to be registered with NERC.
Those in the electric industry who have not yet signed up for an account via the E-ISAC portal can do so by going to the E-ISAC’s website or by sending an email to firstname.lastname@example.org. Current users of the portal, as well as those who would like to join, are encouraged to provide feedback and/or seek technical support by contacting the E-ISAC at email@example.com or (404) 446-9780.
The American Public Power Association has encouraged its member utilities to sign up for the E-ISAC's portal to get alerts and resources to monitor and manage cyber threats.