Utility Dive: Utility Industry Casts Doubt on FERC’s Proposed Cyber Standards

Utility Dive

Utility Industry Casts Doubt on FERC’s Proposed Cyber Standards

September 25, 2015

By Robert Walton

Dive Brief:

  • The utility industry is pushing back on some proposals made by the Federal Energy Regulatory Commission (FERC) to address cybersecurity weaknesses. A coalition of industry groups doubt FERC's authority to make some changes, questioning whether others are necessary, Fierce Energy reports.
  • FERC has been trying to address cybersecurity across the utility supply chain, but a broad group of power providers say regulators lack authority to oversee third-party providers on the grid.
  • Moreover, the coalition told FERC that its revised critical infrastructure protection standards already address many security issues, and that regulators may be overstating the risk involved.

Dive Insight:

Over the summer, federal regulators laid out a series of modifications to critical infrastructure protection reliability standards designed to address growing concerns that the nation's bulk generation and transmission systems are vulnerable to cyberattacks. The Federal Energy Regulatory Commission (FERC) wanted the utility industry to develop new security protocols, including standards for data flowing across unsecured third-party networks.

But in comments filed this week by a broad range of utility groups, the industry cast doubt on FERC's authority to regulate some areas and said the issue overall may be blown out of proportion.

"While the Trade Associations agree that CIP and cybersecurity risks form a high priority strategic matter for the electric industry, no events or disturbances have taken place that indicate a problem or emerging pattern or trend," the group told FERC.

The coalition includes the American Public Power Association, the Edison Electric Institute,

Electric Power Supply Association, the National Rural Electric Cooperative Association, Electricity Consumers Resource Council, Transmission Access Policy Study Group, and the Large Public Power Council.

The groups also said FERC's CIP V5 standards already "address a broad range of supply chain issues," and cast doubt on the commission's ability to regulate third-party providers which are rapidly becoming a major player on the grid.

"The commission has no direct oversight authority over third-party suppliers or vendors and, in addition, cannot indirectly assert authority on them through jurisdictional entities," the groups said. FERC's rationale behind its claim to regulate them has no limits, the group said, and "without such limits, the Commission ostensibly could seek to regulate under the blanket rationale of 'supply chain' any number of areas, including fuel procurement or labor relations."

In July, Lloyd's of London issued a report aimed at informing the insurance industry as to the potential impacts of a widespread attack on the U.S. power grid. The analysis showed the total economic loss could range from $243 billion up to $1 trillion in the most damaging scenarios.

# # #

Friday, September 25, 2015