FERC and NERC Talk Grid Resilience and Cybersecurity

On March 22, 2019, Foley Hoag hosted the New England Electricity Restructuring Roundtable, organized by Raab Associates. The roundtable featured keynote addresses by Federal Energy Regulatory Commission (“FERC”) Commissioner Cheryl LaFleur—who recently announced she will be stepping down later this year—and North American Reliability Corporation (“NERC”) CEO and President James Robb. Both took turns addressing the most pressing issues in energy.  Prominent among these were grid resilience and cybersecurity.

James Robb’s address touched on issues of reliability and resilience, but of the issues the electric industry is facing, the one that is top-of-mind for him—occupying about “sixty percent of my waking hours” —is the cyber threat. That threat is not stochastic like extreme weather; it is a “persistent, determined threat,” with adversaries intelligently selecting targets and operating 24 hours a day.  According to Mr. Robb, NERC has encouraged a deliberate and intentional response to this threat by owners and operators of critical energy infrastructure in at least two key ways:  critical infrastructure protection standards and information sharing and analysis:

 1. Critical Infrastructure Protection Standards:
NERC has issued nine CIP standards, which cover:

    • incident reporting,
    • response planning,
    • critical cyber asset identification,
    • personnel and training, and
    • physical and digital security systems and management.

Violating these standards can lead to NERC levying significant fines. For example, earlier this year, NERC recommended a $10 million fine for a utility cited for over 120 CIP-standard violations over a three-year period. The utility agreed to the fine as part of a settlement that also required significant internal restructuring to improve cyber-related oversight and CIP-standard compliance.

2.  Electricity Information Sharing and Analysis Center (ISAC):
ISAC is a NERC program that collects and analyzes security data from other federal agencies and, when permissible, shares that data with industry stakeholders. ISAC is a membership organization, although membership is free. It delivers cyber-security updates through a series of notifications, alerts, and reports, and it also recommends mitigation strategies.

The effectiveness of critical infrastructure protection standards and information sharing and analysis depends largely on entities implementing them. As Mr. Robb pointed out, only about 10 percent of the CIP-standard violations that NERC encounters are caused by technology issues.  The vast majority stem from faulty management, when leadership and management lack a strong cyber-security foundation. What’s most often needed to address cyber issues and comply with NERC standards, according to Mr. Robb, is plain “good spinach management.”

*   *   *

Commissioner LaFleur spoke about three main market challenges the electric energy industry is facing:

  1. Resource selection:
    Commissioner LaFleur noted that many restructured states have been increasingly directing distribution companies to buy new resources that the states prefer, such as natural gas and renewables, or requiring those companies to subsidize existing resources that the states do not want to see retired.
  2. Infrastructure challenges:
    Simply put, it’s difficult to build the kind of infrastructure needed to support the changing energy market, particularly in New England. Commissioner LaFleur reminded attendees that nuclear and hydro resources were built through regional cooperation. That same sort of cooperation might be needed for building infrastructure for gas and renewables.
  3. Pricing: Commissioner LaFleur explained that pricing electricity by volume might not work as well as it has in the past, because the use of new resources is changing the traditional cost curves that used to support volumetric pricing. She pointed to California and its so-called “duck curve.” California was generating so much solar energy on peak, she explained, that hydroelectric facilities had to spill water because there was too much power in the system at peak, and gas plants, whose power was still needed during evening hours, started shuttering from lack of revenue. A different approach to pricing electric energy might be needed, perhaps one focused on attributes, rather than volume.  This was Commissioner LaFleur’s final appearance at the Roundtable as a FERC Commissioner. She appeared twice before as a commissioner, in 2014 and 2011, and once in 2007 while serving as National Grid’s acting CEO.

Commissioner LaFleur closed with observations about her time at FERC, noting that it takes a long time, sometimes too long, for FERC to make policy. And commissioner turnover is higher than it was before, so the policy process can lack continuity. Her parting recommendation to parties that might appear before FERC: spend a lot of time building consensus around an issue first, before coming to FERC to resolve it.

Leave a Reply

Your email address will not be published. Required fields are marked *