Grid Security Now!

Grid Security Now!

Michael Mabee – Author of The Civil Defense Book

Menu
  • Home
  • Library
    • Grid Security Library
      • Government Documents on Grid Security
      • OE-417 Electric Disturbance Events Database
      • CIP Violation Database
      • Database of Chinese Transformers and Equipment in the U.S. Electric Grid
      • Why Haven’t We Secured the Grid?
      • What is the Electric Grid and How is it Regulated?
      • Grid Protection Posts
      • Video (EMP and Grid Security)
    • Civil Defense Library
      • The cavalry is not coming
      • Civil Defense Posts
      • Video (Preparedness)
      • Civil Defense Checklists
  • In the Press
  • Take Action!
  • Fund The Fight!
  • About Me
    • About Michael
    • Interviews – Michael Mabee
    • Subscribe to Mike’s Blog
    • Contact Me
  • My Book
Menu
Government Misses the Boat on Grid Security - Again

Government Misses the Boat on Grid Security – Again

Posted on July 31, 2021 by Michael Mabee

Once again, the government misses the boat on grid security.

On July 28, 2021 President Biden issued a “National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems.” Here is the problem: It is still voluntary for electric utility companies to protect the electric grid:

Accordingly, I have established an Industrial Control Systems Cybersecurity Initiative (Initiative), a voluntary, collaborative effort between the Federal Government and the critical infrastructure community to significantly improve the cybersecurity of these critical systems.

When are we going to learn that asking 3000+ plus companies that own or operate the electric grid to “voluntarily” secure their part of the grid has not worked? “Voluntary” grid protection has not worked in decades and again the government misses the boat thinking it will work now. I recently discussed this in detail in my filing with the U.S. Department of Energy.

Maybe a more appropriate thing to do at this point is abandon ship and find a new boat. The new boat must be mandatory grid security – or better yet, mandatory critical infrastructure security.

The Problem: “Voluntary Grid Protection”

The government and the electric utility industry has failed to secure the grid from cyberthreats for over a decade. The industry refuses to secure the grid and the government refuses to order them to do so. Grid security is presently largely “voluntary.”

In the last decade the electric utility industry has spent $1.2 billion lobbying the U.S. Congress and another $150 million in “contributions.” (Not including lobbying and contributions at the state level.) Imagine if this $1.2 billion, which largely originated from the bills of ratepayers, was put towards electric grid security rather than lobbying against further regulation.

The industry’s lobbyists have embedded themselves over the years, as “partners” in DOE and FERC via the Electric Subsector Coordinating Council (“ESCC”) and trade organizations such as the Edison Electric Institute (“EEI”), the American Public Power Association (“APPA”), the National Rural Electric Cooperative Association (“NRECA”), the Large Public Power Council (“LPPC”), the Transmission Access Policy Study Group (“TAPS”), the Electric Power Supply Association (“EPSA”), WIRES, and the Electricity Consumers Resource Council (“ELCON”). These industry groups have actively fought against grid security regulation, mandatory critical infrastructure protection standards and public transparency.

The U.S. Government has been concerned about the cybersecurity of the critical electric infrastructure since at least 2003, the security of the electric grid from physical threats since at least 1981 and electromagnetic pulse (EMP) threats since at least 1975. In other words, we have been talking about securing our critical electric infrastructure for over four decades from the very threats we still face today.

The electric utility industry has lobbied and fought against mandatory grid protection regulations every step of the way. After the Great Northeast Blackout of 2003, Congress passed the Energy Policy Act of 2005 which added Section 215 to the Federal Power Act.  However, this moved the needle very little on the security of the critical electric infrastructure. The impact was we moved from “voluntary” self-regulation to “mandatory” self-regulation – but only for a small portion of the whole critical electric infrastructure. Perhaps the problem we face today was best summarized in 2003 in Congressional testimony of Mark N. Cooper when the bill was being debated:

“We must not rely on industry self-regulation. The proposal to move from voluntary self-regulation to mandatory self-regulation misses the point. The difficulty is not the voluntary versus the mandatory. It is the ‘self’ part. We need clear accountability to public authorities.”

While public-private partnerships have their place, the industry has lobbied, promoted and ultimately hornswoggled the federal government into a system of “all carrots and no stick.” They laud the public-private partnerships and have fought for decades against regulation and mandatory standards to secure the critical electric infrastructure. Everything they do is calculated to kick the grid security can down the road and commission more “studies.” When finally forced to write a mandatory standard, the resulting weak standards should not be surprising. This hands-off approach has not worked and today our national security is jeopardized.

This buy-in by the federal government of the “voluntary” grid protection (that hasn’t worked but that the government continues to pursue) was apparent from the government witnesses in a hearing before the House Subcommittee on National Security: “Defending the U.S. Electric Grid Against Cyber Threats” on July 27, 2021. The witnesses from the Department of Energy (DOE), Department of Homeland Security (DHS) and Federal Energy Regulatory Commission (FERC) spoke heavily of voluntary efforts and “partnerships” with electric utility industry.

We have placed our trust and our national security in the hands of an industry with a checkered past: Samuel Insull, Enron, PG&E’s multiple felony convictions, the recent Ohio and Illinois bribery scandals to name only a few. In fact, R Street Institute pointed out:

“Policymakers should not dismiss these developments as merely the work of a few bad actors, but as the latest evidence of an established behavioral pattern tied to perverse incentives from flawed institutions.”

We should not trust the electric utility industry. If after all the industry’s efforts and counsel over the past decades, our critical electric infrastructure is not secure, perhaps their agenda is not the same as that of the United States government.

The Solution: “Mandatory Grid Protection”

The U.S. needs mandatory protection of the electric grid.

After the Enron debacle, Congress enacted certification requirements for publicly traded companies related to financial and disclosure controls. (See sections 302, 404 and 906 of the Sarbanes-Oxley Act of 2002.)

A similar model would work for electric grid cybersecurity.

Legislation is needed mandating that reasonably prudent cybersecurity measures be taken by all companies, public or private sector, that are part of the 16 critical infrastructure sectors described in Presidential Policy Directive 21.

  • The Chief Executive Officer of each such critical infrastructure company must be required to certify periodically to DHS that they have reasonably prudent cybersecurity measures in place that have been reviewed and approved by the Chief Executive Officer of the company.
  • There must be civil and criminal penalties for false certification or failure to submit such certifications.
  • These certifications should be made available to the public as well as state and federal authorities.
  • There must be whistleblower protections for employees of the critical infrastructures who report violations of laws, regulations or standards to their employer, regulators or the government. (For an example of such a provision contemplated by Senators Grassley and Markey in on March 3, 2020, see Congressional Record, pages S1413 and S-1414.)

This would be the simplest and fastest way to move towards the U.S. mandatory protection of the electric grid.

The government and the industry are not likely to do shift from “voluntary” to “mandatory” electric grid protection without the public demanding it be done.

 




 

News

  • How to Fix Electric Grid Security
  • U.S. Continues to Import Large Transformers from China
  • 60 Minutes – How secure is America’s electric grid?
  • COVERUP UPDATE: CIP Violation Database and FOIA Lawsuit
  • Q: How Did We Become So Vulnerable?
  • Rate Recovery: How Electric Customers Fund Industry Lobbying
  • Energy Sector Supply Chain Review – U.S. Department of Energy
  • Criminally Negligent Homicide in February 2021 Texas Blackout Deaths?
  • Chinese Transformer Threat Now Confirmed by Two Administrations
  • Secretary of Energy Advisory Board: Comments of Michael Mabee
  • Electricity Advisory Committee: Comments of Michael Mabee
  • How the electric utility industry torpedoed grid security
  • Chinese Transformer Complaint Filed with U.S. Government
  • U.S. Electric Grid Imports More Chinese Transformers in 2020 and 2021
  • Recent Grid Threats: Frank Gaffney and Michael Mabee Break It Down
  • Secret Penalties: The Electric Grid Is Making You Pay Their Fines
  • Government Misses the Boat on Grid Security – Again
  • Critical Electric Infrastructure – The Government Must Step Up
  • FERC Dismisses Texas Grid Collapse Complaint
  • FERC Office of Public Participation: End the Electric Industry Coverup
  • Testimony of Michael Mabee on SB 1606 – All Hazards Grid Security
  • Federal Complaint Filed on Texas Grid Collapse
  • We Are Plugged In To Life Support
  • Texas Blackout: The Unacceptable Outcome of a Foreseeable Event
  • Chinese Transformers in the Electric Grid: Lights Out For NYC?
  • Message to Governor Jennifer Granholm and the Department of Energy
  • Chinese Transformers in the Electric Grid
  • The U.S. Has 300 Chinese Large Power Transformers
  • Senator Murkowski Questions Cybersecurity Order Suspension
  • Grid Supply Chain Cybersecurity Order “Suspended”

Fund The Fight!


Subjects

Search Website

Subscribe for Updates!

Follow me on Twitter

Tweets by CivilDefenseBK

Click To Get Prepared!

The Civil Defense Book: Emergency Preparedness for a Rural or Suburban Community
The Civil Defense Book Get it now!

Subscribe for updates

Follow Me On Facebook

The Civil Defense Book

8 months ago

The Civil Defense Book
Bradford Clark Freeman, the last surviving member of Easy Company's Band of Brothers, dies at 97apple.news/AkFt2MfXqTCWTe4KGOFDOPg ... See MoreSee Less

Bradford Clark Freeman, the last surviving member of Easy Company's Band of Brothers, dies at 97 — CNN

apple.news

Bradford Clark Freeman, believed to be the last surviving original member of the historic World War II parachute infantry regiment of the US Army known as Easy Company, died Sunday in Columbus, Missis...
View on Facebook
· Share

Share on Facebook Share on Twitter Share on Linked In Share by Email

The Civil Defense Book

9 months ago

The Civil Defense Book
Here Comes the Sun—to End Civilizationwww.wired.com/story/sun-storm-end-civilization/ ... See MoreSee Less

Here Comes the Sun—to End Civilization

www.wired.com

Every so often, our star fires off a plasma bomb in a random direction. Our best hope the next time Earth is in the crosshairs? Capacitors.
View on Facebook
· Share

Share on Facebook Share on Twitter Share on Linked In Share by Email

Fund The fight!


©2023 Grid Security Now! | Theme by SuperbThemes