Regulatory Groups Fail to Protect Power Grid from Cyberattacks

A House subcommittee is criticizing officials with the regulatory bodies that oversee the power grid, saying they have both misled the public and failed to protect the nation’s electrical power system against cyberattacks.

In an article on the NextGov website, Jill R. Aitoro says “members of the House Subcommittee on Emerging Threats, Cybersecurity and Science and Technology took aim on Wednesday at the North American Electric Reliability Corporation (NERC), which, operating as the Electric Reliability Organization, develops standards for power plants. The standards are approved by the Federal Energy Regulatory Commission (FERC), which enforces the reliability benchmarks for most of the nation’s power plants. The 2005 Energy Policy Act established the formal relationship between the two organizations.”

“I have real doubts about NERC’s ability to regulate new standards,” Rep. Jim Langevin, D-R.I., chairman of the subcommittee, said at a hearing last week. “It seems to not take this authority seriously. Follow ups with industry to see how they implemented [standards spurred by] Aurora were too limited in scope. It’s hard to know why NERC would take such a laissez-faire approach to this issue.”

Officials, however, told the subcommittee they don’t have the authority to act quickly enough to institute those safeguards. Joseph Kelliher, chairman of FERC, said the cause of the failure to protect adequately power plants is the Energy Policy Act.

“In my view, FERC currently does not have sufficient authority to adequately guard against cybersecurity threats to the reliability of the bulk power system,” he said. “The principle flaw of the [Energy Policy Act] is it simply takes too long; it can take years to develop new and modified standards.”