FERC and NERC Talk Grid Resilience and Cybersecurity

On March 22, 2019, Foley Hoag hosted the New England Electricity Restructuring Roundtable, organized by Raab Associates. The roundtable featured keynote addresses by Federal Energy Regulatory Commission (“FERC”) Commissioner Cheryl LaFleur—who recently announced she will be stepping down later this year—and North American Reliability Corporation (“NERC”) CEO and President James Robb. Both took turns addressing the most pressing issues in energy. Prominent among these were grid resilience and cybersecurity.

James Robb’s address touched on issues of reliability and resilience, but of the issues the electric industry is facing, he noted, the one that is top-of-mind for him—occupying about “sixty percent of my waking hours,” he said—is the cyber threat. That threat is not stochastic like extreme weather, he explained; it is a “persistent, determined threat,” with adversaries intelligently selecting targets and operating twenty-four hours a day.

According to Mr. Robb, NERC has encouraged a deliberate and intentional response by owners and operators of critical energy infrastructure in at least two key ways.

  • Critical Infrastructure Protection Standards: There are nine CIP standards that cover topics including:
    1. incident reporting,
    2. response planning,
    3. critical cyber asset identification,
    4. personnel and training, and
    5. physical and digital security systems and management.

Violating these standards can lead to serious fines. This year, for example, NERC recommended a $10 million fine for a utility cited by NERC for over 120 CIP-standard violations occurring across about a three-year period. The utility agreed to the fine as part of a settlement that also required significant internal restructuring to improve cyber-related oversight and CIP-standard compliance.

  • Electricity Information Sharing and Analysis Center (ISAC): ISAC is a NERC program that collects and analyzes security data from other federal agencies and, when permissible, shares that data with industry stakeholders. ISAC is a membership organization, though membership is free. It delivers cyber-security updates through a series of notifications, alerts, and reports, and it also recommends mitigation strategies.

Alone, however, these tools can only do so much. Their effectiveness depends in large part on the entities implementing them. As Mr. Robb pointed out at the roundtable, only about ten percent of the CIP-standard violations NERC encounters are caused by technology issues. Rather, the vast majority stems from faulty management, when leadership and management lack a strong cyber-security foundation. What’s most often needed to address cyber issues and comply with NERC standards, according to Mr. Robb, is plain “good spinach management.”

Commissioner LaFleur spoke about three main market challenges the electric energy industry is facing:

  • Resource selection: The commissioner noted that many restructured states have been increasingly directing distribution companies to buy new resources that the states prefer, such as natural gas and renewables, or requiring those companies to subsidize existing resources that the states do not want to see retired.
  • Infrastructure challenges: Simply put, it’s hard to build the kind of infrastructure needed to support the changing energy market, particularly in New England. Commissioner LaFleur reminded attendees that nuclear and hydro resources were built through regional cooperation. That same sort of cooperation might be needed for building infrastructure for gas and renewables.
  • Pricing: Commissioner LaFleur explained that pricing electricity by volume might not work as well as it has in the past, because the use of new resources is changing the traditional cost curves that used to support volumetric pricing. She pointed to California and its so-called duck curve. California was generating so much solar energy on peak, she explained, that hydroelectric facilities had to spill water because there was too much power in the system at peak, and gas plants, whose power was needed during the evening, started shuttering from lack of revenue. A different approach to pricing electric energy might be needed, perhaps one focused on attributes, rather than volume.

Commissioner LaFleur closed with observations about her time at FERC, notably that it takes a long time, sometimes too long, for FERC to make policy. The regulatory process can last for years. And commissioner turnover is higher than it was before, so the policy process can lack continuity. Her recommendation to parties that might appear before FERC: spend a lot of time building consensus around an issue first, before coming to FERC to resolve it.

This was Commissioner LaFleur’s final appearance at the Roundtable as a FERC Commissioner. She appeared twice before as a commissioner, in 2014 and 2011, and once in 2007 while serving as National Grid’s acting CEO.

Leave a Reply

Your email address will not be published. Required fields are marked *