FERC Denies Grid Physical Security Complaint, BUT...

In an order that appears to be largely cut and pasted from the electric industry arguments, FERC denied my electric grid physical security complaint on June 9, 2020. However, FERC Commissioner McNamee filed a separate “concurring opinion” which reads like a dissent. Apparently, the physical security complaint struck a nerve.

Background of my Physical Security Complaint

By way of background, in 2014 the Federal Energy Regulatory Commission (FERC) ordered the grid’s self regulatory entity, the North American Electric Reliability Corporation (NERC) to draft the physical security standard. (You read that correctly: the electric sector writes is own standards—not the government.) This was the result of Congressional and media concern after spectacular physical attack against a PG&E transformer in Metcalf California in 2013 raising concerns about terrorism.

It is important to understand NERC and the electric sector did not want to write the standard—they were forced. Unfortunately, the resulting standard is weak and fraught with loopholes.

It is also important to note that, at the time I filed the physical security complaint, there had been 245 physical attacks on the grid since the standard became effective.

After discovering some disturbing inadequacies in the physical security of the electric grid, I filed a complaint with the FERC on January 29, 2020. My complaint alleged that the mandatory physical security standard for the electric grid (CIP-14-2) was grossly inadequate and rarely enforced. I provided detailed analysis of the standard and evidence to support my allegations. FERC opened Docket Number EL20-21-000 on the complaint and invited public comments and intervention. NERC and almost the entire electric industry vehemently opposed the complaint. Unfortunately, FERC Commissioners have frequently proven themselves unwilling to buck the industry – even on national security matters. Therefore, the easiest thing for them to do here was dismiss the complaint on a technicality. (It’s not that the physical security of the grid is adequate – it is that we already approved the standard and we see no reason to revisit it now.)

The Complaint and all the substantive filings in this docket are linked on the bottom of this page.

FERC’s Order Denying Physical Security Complaint

FERC’s Order denies the complaint for the reasons presented by NERC and the industry Trade Associations. In fact, parts of FERC’s order seem to mimic the exact same arguments submitted by the industry. For example, the FERC Order states:

Relying solely on the small number of filed violations is not a sufficient basis for us to conclude that Reliability Standard CIP-014-2 is not being enforced when it is equally plausible that the small number of violations could be attributed to industry compliance.

FERC Order at ¶20. Compare to NERC’s argument on page 16 of their filing, mimicked by one of the Trade Associations’ arguments (APPA, LPPC and TAPS) on page 4 of their filing . There are many other examples.

The other Trade Association filing (NRECA and EEI – whose members include corporations owned by the Government of the People’s Republic of China), tried to end their missive with a catchy phrase:

Reliability is not measured by the number of violations of standards or penalties filed at the Commission. Rather, reliability is measured by keeping the lights on.

Really? Well on September 10, 2001 domestic safety was measured by the lack of terrorist attacks. The Trade Associations miss (or ignore) the point: Let’s fix grid physical security before the lights go out.

Unfortunately, FERC fell right in line with the industry’s wishes and dismissed the complaint, largely on a technicality – there is no reason to revisit the physical security standard – what is done is done, and therefore it must be okay.

Commissioner McNamee’s “Dissenting Concurrence”

Departing FERC Commissioner Bernard L. McNamee filed a separate “concurring” opinion. Commissioner McNamee, who announced in January that he is leaving FERC after his term expires, talks in detail about the threats to the electric grid. I’m including his entire text below. I’ve highlighted a few parts, but the entire opinion is excellent.

(Issued June 9, 2020)

McNAMEE, Commissioner, concurring:

The Commission’s order in this proceeding denies the Complaint alleging that Reliability Standard CIP-014-2 (Physical Security) is “inadequate” and that “enforcement of the mandatory physical security standard seems nonexistent.” The order also denies the Complaint’s request for an order from the Commission directing the North American Electric Reliability Corporation (NERC) to correct these alleged deficiencies. Though the Commission’s reasoning in denying the Complaint is correct as a matter of law, I write separately to encourage NERC, regulated entities and the Commission to continually reassess the security of all assets used for the generation, transmission and distribution of electricity.[1]

Cyber and Physical Threats Are Real

The importance of electricity to the security and safety of the American people cannot be overstated. Virtually every aspect of our lives, our businesses, and our society depend on access to reliable and affordable electricity. Therefore, any realized threat to our electric system can have devastating effects on individuals, families, businesses, the economy and the nation. We know this; so do our adversaries.
In the summer of 2018, then Director of National Intelligence Dan Coats stated, referencing the attacks on our country of September 11, 2001, that “the warning lights are blinking red again” and “the digital infrastructure that serves this country is literally under attack.”^[2] We know that this referenced infrastructure includes our bulk power system. It has been publicly reported that nations such as Russia, China, Iran, and North Korea, as well as terrorist organizations and non-state actors, have attempted to and have the capability and intent to infiltrate our electrical systems, primarily through cyber-attacks.[3] There is also a growing awareness that we need to be concerned about the supply chain for software and equipment used in the electric industry.[4] The ability to remotely interfere with our electric system through cyber-attacks creates real threats to the physical operation of the grid. The Commission, NERC and regulated entities have been working to address these threats and must continue to do so.
Physical attacks on electric infrastructure are also a real threat. For example, the event that prompted Reliability Standard CIP-014-2 (Physical Security) was the April 2013 physical attack on the Metcalf substation in San Jose, California. This attack involved individuals using rifles to target the 500 kV substation; seventeen transformers were damaged in the attack.[5] Similarly, in September 2016, an individual armed with a high-powered rifle successfully conducted a sniper attack in Utah, knocking out the Buckskin substation and causing a loss of power for 13,000 customers.[6]
It is also recognized that remotely controlled unmanned aerial vehicles, or drones, can be employed to attack energy infrastructure. As an example, we only need to consider the public reports that drones were likely used to attack and damage oil refineries in Saudi Arabia in September, 2019.[7] We also need to be vigilant about the potential threat posed by various forms of electromagnetic pulse (EMP) when considering electric infrastructure security.[8]

President Executive Order

Among other actions taken by Congress and the President, on May 1, 2020, President Trump issued an Executive Order on “Securing the United States Bulk-Power System.” In its preamble the Executive Order observes:

[F]oreign adversaries are increasingly creating and exploiting vulnerabilities in the United States bulk-power system, which provides the electricity that supports our national defense, vital emergency services, critical infrastructure, economy, and way of life. The bulk-power system is a target of those seeking to commit malicious acts against the United States and its people, including malicious cyber activities, because a successful attack on our bulk-power system would present significant risks to our economy, human health and safety, and would render the United States less capable of acting in defense of itself and its allies.[9]

To address these threats, the Executive Order prohibits the purchase or use of equipment for the electric grid that was manufactured by an entity under the control of a foreign adversary or that poses a national security threat.

FERC and NERC Responses to Cyber and Physical Security

Under the Energy Policy Act of 2005, FERC, along with NERC, oversees implementation and enforcement of mandatory reliability standards for both cyber and physical security in the bulk electric system.[10] Through the development of Critical Infrastructure Protection or CIP standards, we ensure that the assets that support the nation’s electricity supply comply with baseline standards for cyber and physical security. Though the Complaint at issue in this proceeding is denied, the work to secure the grid is ongoing.
The threats to the grid are real and we must remain vigilant. FERC and NERC have been working with industry to establish standards. But standards are only the beginning. In addition to these baseline standards, FERC and NERC must also work collaboratively with industry to establish best practices in addressing these threats. It is up to everyone to be vigilant and proactive in preventing attacks and mitigating security risks. As a Commission we need to work continually with NERC and the regulated community to ensure that our electric grid is secure against cyber and physical attacks.

For these reasons, I respectfully concur.

______________________________

Bernard L. McNamee
Commissioner

[1] I recognize that the Commission does not have jurisdiction over the local distribution of electricity or the siting and permitting of generation facilities; but due to the interconnected nature of the electric system, it is important that regulated entities and regulators be cognizant of the fact that threats to any part of the system can be a threat to the entire electrical system.

[2] See National Public Radio, Transcript: Dan Coats warns of continuing Russian cyberattacks (Jul. 18, 2018), https://www.npr.org/2018/07/18/630164914/transcript-dan-coats-warns-of-continuing-russian-cyberattacks.

[3] Department of Energy, Cyber Threat and Vulnerability Analysis of the U.S. Electric Sector at 20-23 (Aug. 2016), https://www.energy.gov/sites/prod/files/2017/01/f34/Cyber%20Threat%20and%20Vulnerability%20Analysis%20of%20the%20U.S.%20Electric%20Sector.pdf.

[4] See generally Reliability Standard CIP-013-1, Cybersecurity – Supply Chain Risk Management.

[5] Congressional Research Service, Physical Security of the U.S. Power Grid: High-Voltage Transformer Substations at 7 (Jun. 17, 2014), https://fas.org/sgp/crs/homesec/R43604.pdf.

[6] Peter Behr, Substation attack is new evidence of grid vulnerability, E&E News (Oct. 6, 2016), https://www.eenews.net/stories/1060043920.

[7] David Reid, Saudi Aramco reveals attack damage at oil production plants, CNBC ( Sep. 21, 2019), https://www.cnbc.com/2019/09/20/oil-drone-attack-damage-revealed-at-saudi-aramco-facility.html.

[8] See Executive Order No. 13865, 84 Fed. Reg. 12041 (2019); see also Department of Energy, Electromagnetic Pulse Resilience Action Plan (January 10, 2017), https://www.energy.gov/sites/prod/files/2017/01/f34/DOE%20EMP%20Resilience%20Action%20Plan%20January%202017.pdf.

[9] See Executive Order No.13920, 85 Fed. Reg. 26595 (2020).

[10] Energy Policy Act of 2005, Pub. L. No. 109-58, § 1211, 119 Stat. 941-46 (2005) (codified at 16 U.S.C. § 824o).

Physical Security Complaint

Filings Supporting the Complaint

Filings Opposing the Complaint

Please help support Michael Mabee's public interest research and grid protection work. Thanks!