Once again, the government misses the boat on grid security.
On July 28, 2021 President Biden issued a “National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems.” Here is the problem: It is still voluntary for electric utility companies to protect the electric grid:
Accordingly, I have established an Industrial Control Systems Cybersecurity Initiative (Initiative), a voluntary, collaborative effort between the Federal Government and the critical infrastructure community to significantly improve the cybersecurity of these critical systems.
When are we going to learn that asking 3000+ plus companies that own or operate the electric grid to “voluntarily” secure their part of the grid has not worked? “Voluntary” grid protection has not worked in decades and again the government misses the boat thinking it will work now. I recently discussed this in detail in my filing with the U.S. Department of Energy.
Maybe a more appropriate thing to do at this point is abandon ship and find a new boat. The new boat must be mandatory grid security – or better yet, mandatory critical infrastructure security.
The Problem: “Voluntary Grid Protection”
The government and the electric utility industry has failed to secure the grid from cyberthreats for over a decade. The industry refuses to secure the grid and the government refuses to order them to do so. Grid security is presently largely “voluntary.”
In the last decade the electric utility industry has spent $1.2 billion lobbying the U.S. Congress and another $150 million in “contributions.” (Not including lobbying and contributions at the state level.) Imagine if this $1.2 billion, which largely originated from the bills of ratepayers, was put towards electric grid security rather than lobbying against further regulation.
The industry’s lobbyists have embedded themselves over the years, as “partners” in DOE and FERC via the Electric Subsector Coordinating Council (“ESCC”) and trade organizations such as the Edison Electric Institute (“EEI”), the American Public Power Association (“APPA”), the National Rural Electric Cooperative Association (“NRECA”), the Large Public Power Council (“LPPC”), the Transmission Access Policy Study Group (“TAPS”), the Electric Power Supply Association (“EPSA”), WIRES, and the Electricity Consumers Resource Council (“ELCON”). These industry groups have actively fought against grid security regulation, mandatory critical infrastructure protection standards and public transparency.
The U.S. Government has been concerned about the cybersecurity of the critical electric infrastructure since at least 2003, the security of the electric grid from physical threats since at least 1981 and electromagnetic pulse (EMP) threats since at least 1975. In other words, we have been talking about securing our critical electric infrastructure for over four decades from the very threats we still face today.
The electric utility industry has lobbied and fought against mandatory grid protection regulations every step of the way. After the Great Northeast Blackout of 2003, Congress passed the Energy Policy Act of 2005 which added Section 215 to the Federal Power Act. However, this moved the needle very little on the security of the critical electric infrastructure. The impact was we moved from “voluntary” self-regulation to “mandatory” self-regulation – but only for a small portion of the whole critical electric infrastructure. Perhaps the problem we face today was best summarized in 2003 in Congressional testimony of Mark N. Cooper when the bill was being debated:
“We must not rely on industry self-regulation. The proposal to move from voluntary self-regulation to mandatory self-regulation misses the point. The difficulty is not the voluntary versus the mandatory. It is the ‘self’ part. We need clear accountability to public authorities.”
While public-private partnerships have their place, the industry has lobbied, promoted and ultimately hornswoggled the federal government into a system of “all carrots and no stick.” They laud the public-private partnerships and have fought for decades against regulation and mandatory standards to secure the critical electric infrastructure. Everything they do is calculated to kick the grid security can down the road and commission more “studies.” When finally forced to write a mandatory standard, the resulting weak standards should not be surprising. This hands-off approach has not worked and today our national security is jeopardized.
This buy-in by the federal government of the “voluntary” grid protection (that hasn’t worked but that the government continues to pursue) was apparent from the government witnesses in a hearing before the House Subcommittee on National Security: “Defending the U.S. Electric Grid Against Cyber Threats” on July 27, 2021. The witnesses from the Department of Energy (DOE), Department of Homeland Security (DHS) and Federal Energy Regulatory Commission (FERC) spoke heavily of voluntary efforts and “partnerships” with electric utility industry.
We have placed our trust and our national security in the hands of an industry with a checkered past: Samuel Insull, Enron, PG&E’s multiple felony convictions, the recent Ohio and Illinois bribery scandals to name only a few. In fact, R Street Institute pointed out:
“Policymakers should not dismiss these developments as merely the work of a few bad actors, but as the latest evidence of an established behavioral pattern tied to perverse incentives from flawed institutions.”
We should not trust the electric utility industry. If after all the industry’s efforts and counsel over the past decades, our critical electric infrastructure is not secure, perhaps their agenda is not the same as that of the United States government.
The U.S. needs mandatory protection of the electric grid.
After the Enron debacle, Congress enacted certification requirements for publicly traded companies related to financial and disclosure controls. (See sections 302, 404 and 906 of the Sarbanes-Oxley Act of 2002.)
A similar model would work for electric grid cybersecurity.
Legislation is needed mandating that reasonably prudent cybersecurity measures be taken by all companies, public or private sector, that are part of the 16 critical infrastructure sectors described in Presidential Policy Directive 21.
- The Chief Executive Officer of each such critical infrastructure company must be required to certify periodically to DHS that they have reasonably prudent cybersecurity measures in place that have been reviewed and approved by the Chief Executive Officer of the company.
- There must be civil and criminal penalties for false certification or failure to submit such certifications.
- These certifications should be made available to the public as well as state and federal authorities.
- There must be whistleblower protections for employees of the critical infrastructures who report violations of laws, regulations or standards to their employer, regulators or the government. (For an example of such a provision contemplated by Senators Grassley and Markey in on March 3, 2020, see Congressional Record, pages S1413 and S-1414.)
This would be the simplest and fastest way to move towards the U.S. mandatory protection of the electric grid.
The government and the industry are not likely to do shift from “voluntary” to “mandatory” electric grid protection without the public demanding it be done.
[wpedon id=”5868″ align=”center”]