Public power utilities, together with the entire electric utility industry, take very seriously their responsibility to maintain a secure and reliable electric grid. Electric utilities are the only critical infrastructure sector that has mandatory and enforceable federal regulatory standards in place for cyber and physical security (collectively known as grid security).
- ElectriCities supports the electric industry’s existing cybersecurity regulatory structures. Federal law gives the Federal Energy Regulatory Commission (FERC) and the North American Energy Reliability Council (NERC) the authority to establish and enforce reliability standards on “all users, owners and operators of the bulk-power system” including public power entities. NERC, working with electric industry experts, regional entities, and government representatives, regularly drafts reliability, physical security, and cybersecurity standards that apply across the North American grid.
- ElectriCities supports federal funding for cyber and physical security protections, including grants for small utilities. ElectriCities supported passage of the Cybersecurity Act of 2015, which provides policies and procedures for sharing cybersecurity threat information between the federal government and private entities (which includes electric utilities), as well as sharing between private entities while providing limited liability protection for these activities if conducted in accordance with the act.
- We also strongly support the grid security provisions of the Fixing America’s Surface Transportation Act or “FAST Act,” which gave the Secretary of Energy broader authority to address grid security emergencies under the Federal Power Act. It also clarified the ability of FERC and other federal agencies to protect sensitive critical electric infrastructure information (CEII) from public disclosure under the federal Freedom of Information Act (FOIA).
The authorities, regulations, and standards outlined above provide a solid foundation for strengthening the industry’s security posture. As an industry, we will continue to focus on improving on that foundation.
Substation attacks in North Carolina and other parts of the country have sparked a national discussion on grid security. ElectriCities and member public power communities are actively reviewing their security precautions and are taking actions to reduce the impacts on their communities in the event of an attack. Legislation and regulation are being considered at both the state and federal levels to strengthen security. While ElectriCities supports proposals that would increase the penalties for those who damage utility infrastructure, too little is known about the attacks to support any new government mandates at this time. ElectriCities looks forward to learning more from law enforcement and from an evaluation currently being conducted by the North American Electric Reliability Corporation.