Electric Industry Wants to Defer Implementation of Cybersecurity

Posted on April 10, 2020 by Michael Mabee

Protest and Comments of Michael Mabee

Submitted to FERC on April 10, 2020

I am a private citizen who conducts public interest research on the security of the electric grid. I have also previously filed comments in one of the impacted dockets.

Protest of the Commission’s April 6, 2020 “Notice Shortening Answer Period”

On April 6, 2020, the North American Electric Reliability Corporation (NERC) filed a motion to delay the implementation of several Reliability Standards, including Critical Infrastructure Protection (CIP) standards, because of the current COVID-19 pandemic. This motion has a “First Received Date” of “4/6/2020 2:04:58 PM” and a “Posted Date” of “4/6/2020 4:47:33 PM” according to the Commission’s public records.[1]

Minutes after NERC’s motion was posted to the Commission’s public website (April 6, 2020 at 5:26 p.m.[2]), the Commission issued a notice that “that the date for filing answers to NERC’s motion is shortened to and including April 9, 2020.” This effectively gave the public three days to file comments and did not even include a weekend. Unlike the electric industry with their full-time attorneys and lobbyists, some of the public have “day jobs” and families. It is in the public interest to allow a reasonable amount of time for public comment in matters as important as the implementation of reliability standards.

I respectfully point out that three days is an unreasonably short time period and respectfully request that my comments be accepted and considered. I also would recommend that the time period on this matter be further extended to allow for further public comment.

Comments

For the reasons set forth below, the Commission should deny NERC’s Motion to Defer Implementation of Reliability Standards.

A pandemic was NOT unexpected and the industry should have been prepared. Therefore, a delay in implementation of standards is not appropriate.

The U.S. government, NERC and the electric industry have been aware of the threat of a pandemic for years and this current pandemic should not have taken NERC or the electric industry by surprise.

In 2006 NERC (then the North American Electric Reliability Council) published their “Electricity Sector Influenza Pandemic Planning, Preparation, and Response Reference Guide.”[3] In fact, NERC still referred to this 2006 document in their 2015 revision of their “Security Guideline for the Electricity Sector: Continuity of Business Processes and Operations Operational Functions.”[4]

Also, in 2006 the Department of Homeland Security (DHS) published: “Pandemic Influenza Preparedness, Response, and Recovery Guide for Critical Infrastructure and Key Resources.”[5] The report cautioned:

Public health experts warn pandemic inﬂuenza poses a signiﬁcant risk to the United States and the world—only its timing, severity, and exact strain remain uncertain. International, Federal, State, local, and tribal government agencies are diligently planning for the public health response to this potential pandemic. The disease could be severe and could affect our critical infrastructure and our nation’s economic and social security. It is important that you take action.

In 2007, there was an industry conference on pandemic planning in New York City: “Advanced Pandemic Planning for the Energy Sector.”[6] Clearly the industry has had pandemic planning on the radar for over a decade.

The Department of Energy (DOE) has long considered pandemic to be a threat to the electric grid. In fact, NERC joined DOE on June of 2010 in publishing a report “High-Impact, Low-Frequency Event Risk to the North American Bulk Power System.”[7] The report noted:

Today, targeted action is required to define clear roles for the public and private sectors in ensuring appropriate protections are in place to deal with the effects of a pandemic disease or geomagnetic disturbance.

In December of 2015 the Department of Energy’s. Pacific Northwest National Laboratory published a report: “Framework for Modeling High-Impact, Low-Frequency Power Grid Events to Support Risk-Informed Decisions.”[8] The report noted:

For instance, hazards associated with pandemics require a characterization of stressors and vulnerabilities that appropriately reflect the potential impact of loss of human resources to control and maintain grid and infrastructure assets. In this sense, the current framework goes beyond establishment of the basis for developing risk models to identifying methodology development needs.

Finally, in November 2019 (literally one month before the current virus became known) the Department of Homeland Security’s publication: “A Guide to Critical Infrastructure Security and Resilience,” still listed pandemic as a threat to the critical infrastructure.[9]

The current COVID-19 pandemic is an event long predicted and pandemic plans should long have been in place to ensure the reliability of the electric grid. Therefore, it is unreasonable to fail to implement long anticipated protections to the grid in the reliability standards which are the subject of NERC’s current motion.

The Industry purports that they are prepared – and tells this to the public.

In February 2020, the Edison Electric Institute (EEI), whose members include state-owned corporations from the Communist regime of of the People’s Republic of China,[10] published a report: “Electric Companies & Pandemic Planning What You Should Know.”[11] The report tells the public:

The business continuity and pandemic plans developed by electric companies are designed to protect the people working for them and to ensure energy operations and infrastructure are supported properly. These measures help to guarantee that companies can continue to provide safe and reliable electricity throughout an emergency.

Therefore, EEI – the trade group representing all U.S. investor-owned electric companies – tells us that the companies were prepared for this pandemic.

On March 19, 2020 the Los Angeles Times published an article: “How power companies are keeping your lights on during the pandemic.”[12] The article notes:

The American power grid has been described as the world’s biggest machine — and the people who run that machine say they’re prepared to keep the lights on as the COVID-19 pandemic spreads.

The article quotes several industry officials:

“Say what you will about the utility industry — they’re pretty good about contingency planning,” said Stephen Berberich, president of the California Independent System Operator, which manages the electric grid for most of the state. “Things are changing quickly, and we’re doing our best to adapt to changing conditions. But I have every confidence in our people and our technology.”

And,

The power sector started developing more detailed pandemic plans over a decade ago, in the wake of SARS and other contagious disease outbreaks, said Scott Aaronson, vice president of security and preparedness for the Edison Electric Institute, a utility trade group. Now, electricity providers are implementing those plans, and participating in twice-weekly phone conferences with federal officials at the Department of Energy, the Department of Homeland Security and other agencies.

“By planning for a lot of different worst-case scenarios and a lot of potential contingencies, I have confidence that the sector will be prepared to respond no matter how this evolves,” Aaronson said.

The industry is telling the public that they have been prepared for a pandemic. Therefore, it is unreasonable to fail to implement long anticipated protections to the grid in the reliability standards which are the subject of NERC’s current motion.

The pandemic has made the U.S. more vulnerable to the impact of physical and cyberattacks on the grid and, therefore, implementing the CIP standards at the earliest possible opportunity is more critical than ever.

I would finally note that a coordinated cyberattack or physical attack during a pandemic is a threat to the national security of the United States. Now is not the time to defer protections to the electric grid that the industry has had ample time to prepare for – because of a pandemic that the industry is telling the public they are prepared for.

Granting NERC’s motion places the U.S. in further danger and is not in the public interest.

Recommendation

For the reasons set forth above, the Commission should deny NERC’s Motion to Defer Implementation of Reliability Standards.

If the Commission believes it must grant the requested relief, then this is evidence that the industry was not adequately prepared for a pandemic. Therefore, if granting the requested relief, the Commission should also direct NERC to develop a CIP standard for pandemic and biological hazard preparedness.

Respectfully submitted,

Michael Mabee

CLICK HERE for PDF copy

Footnotes:

[1] See “Document Information” at https://elibrary.ferc.gov/idmws/doc_info.asp?document_id=14849348

[2] See “Document Information” at https://elibrary.ferc.gov/idmws/doc_info.asp?document_id=14849369

[3] Available at: https://www.nerc.com/comm/CIPC_Security_Guidelines_DL/NAERC200701.pdf

[4] Available at: https://www.nerc.com/comm/CIPC_Security_Guidelines_DL/WTRMRK-Continuity_Business_Operational_Functions-Retired.pdf

[5] Available at: https://www.dhs.gov/sites/default/files/publications/cikrpandemicinfluenzaguide.pdf

[6] See: https://www.mcguirewoods.com/news-resources/publications/Roche-Energy-White-Paper.pdf

[7] Available at: http://bit.ly/2O3Tlns

[8] Available at: http://bit.ly/2T0XEnV