Will grid regulators FINALLY take security seriously?

By Tommy Waller

One week after the President of the United States declared a national emergency with respect to the electric grid and issued Executive Order 13920: “Securing the United States Bulk-Power System,” prominent grid security researcher and Secure the Grid Coalition member Michael Mabee filed an official complaint with the federal agency who is supposed to oversee the security of that system: the Federal Energy Regulatory Commission (FERC).

Mabee’s complaint makes clear that the “action by the President is a vote of no-confidence in the lackadaisical and inadequate actions of FERC and NERC.”  NERC is the North American Electric Reliability Corporation (NERC) , a not-for-profit corporation that acts as the self-regulatory organization “whose mission is to assure the reliability of the bulk power system (BPS) in North America.”

Mr. Mabee, a retired U.S. Army Command Sergeant Major, has long decried the “mind numbingly complex regulatory scheme” and has filed numerous motions with FERC to remedy serious gaps in security. In January 2020, he submitted an official complaint to FERC on the inadequacy and lack of enforcement of the NERC physical security standard, which is supposed to protect the system from sabotage.  The complaint was vigorously protested by the electric power industry.

His most recent complaint underscores the importance of President Trump’s Executive Order by pointing out:

• that “two and a half years after FERC ordered the Cyber Security Supply Chain Risk Management standard, NERC hadn’t even checked to see if there is Russian or Chinese equipment or software installed on the electric grid.”
• that “the standard only covers high and medium impact systems and excludes supposed “low impact systems.” Unfortunately, the discretion is left to the individual companies in the industry to decide what is “low impact.”
• that the Executive Order “invalidates the present scheme…in which each individual company has the discretion to decide the systems to which it wishes the standard to apply. The president of the United States has ordered the entire bulk power system protected.”

Mr. Mabee’s complaint draws upon inputs from internationally acclaimed cybersecurity experts who have already documented these numerous flaws for FERC and NERC, such as cybersecurity expert George Cotter, who submitted an assessment to FERC in September 2019 pointing out that:

“only 1374 of a total of 16,412 BES Transmission Substations qualified for CIP Standards based on Kv power minimums (over 90% excluded) and of the qualifiers, only 550 (40%) were estimated by their utilities to be critical to BES Reliability.”

The complaint reads: “In other words, the vast majority of facilities in the bulk power system are excluded from the CIP standards by their very design” and also points to a report issued the very same month by the Government Accountability Office (GAO) that found:

The Federal Energy Regulatory Commission (FERC)—the regulator for the interstate transmission of electricity—has approved mandatory grid cybersecurity standards. However, it has not ensured that those standards fully address leading federal guidance for critical infrastructure cybersecurity—specifically, the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

Mr. Mabee’s complaint provides two recommendations:

• that FERC “should direct NERC to Modify CIP-013-1 (Cyber Security – Supply Chain Risk Management) to cover every piece of equipment in the bulk power system with no exceptions including purported “low impact” BES cyber systems. Utilities should not have the discretion to decide what parts of the bulk power system they wish to protect.”
• that FERC “should direct NERC to revamp all CIP standards to “fully address leading federal guidance for critical infrastructure cybersecurity—specifically, the National Institute of Standards and Technology (NIST) Cybersecurity Framework.”

The electric utility industry, mostly through its trade associations and lobbying groups, have strongly opposed Mr. Mabee’s previous efforts to encourage FERC and NERC to enhance grid security standards, to aggressively enforce these standards, and to be transparent in the penalties associated with that enforcement.

President Trump’s Executive Order 13920 has now validated Mr. Mabee’s previous assessments and his current complaint that “This is a true emergency and the Commission should act on this complaint with a sense of urgency.

FERC now has a choice:  they can either side with the President of the United States and finally address the security gaps which his executive order seeks to remedy, or they can persist with “business as usual” which keeps the nation at perpetual risk.

Since FERC traditionally bends to the will of the utility industry, perhaps the most important question is where the industry and their lobbying organizations will fall, with the President (and Mr. Mabee) or against him?