Securing the smart grid: protecting national security and privacy through mandatory, enforceable interoperability standards.

AuthorBosch, Christopher
PositionIII. Efforts to Address Cybersecurity: The Current Legislative and Regulatory Environment through Conclusion, with footnotes, p. 1376-1406
  1. EFFORTS TO ADDRESS CYBERSECURITY: THE CURRENT LEGISLATIVE AND REGULATORY ENVIRONMENT

    Congress and the Obama Administration have demonstrated an awareness of the dangers that cybersecurity vulnerabilities pose to national security and, in response, have factored these concerns into

    For additional information regarding "backdoors" and the vulnerabilities they can create in otherwise secured systems, see Swire & Ahmad, supra note 78. legislation, executive orders, and project funding requirements. However, these responses have been inadequate in the Smart Grid context. In an industry as fast-moving as the Smart Grid, mandatory interoperability standards must be established early if they are going to be established at all. Instead, a voluntary adoption regime persists to the potential detriment of citizens and businesses. (147)

    While a self-regulatory model (148) can be effective in regulating an industry, the model established through the Energy Policy Act of 2005 (EPAct) (149) (which amended the Federal Power Act (FPA)) to develop mandatory reliability standards does not fully address Smart Grid cybersecurity from the interoperability perspective. The separate regulatory relationship established between NIST and the Federal Energy Regulatory Commission (FERC) under the EISA to implement interoperability standards is too burdensome and inactive to appropriately account for the fast-moving nature of Smart Grid development. (150) While all interoperability standards remain voluntary, utilities will continue to pick and choose what standards to abide by, often opting for minimum security to save money. Profit generators, such as Smart Grid technologies, will likely continue to be produced amongst a patchwork of inconsistent state and/or industry interoperability standards, rendering the Smart Grid highly vulnerable to cyber attacks. (151)

    1. FERC, NERC, and the Mandatory Reliability Standard Development Process

      Under section 215 of the EPAct, (152) Congress granted FERC the authority to develop mandatory standards aimed at ensuring the reliability of the "bulk-power system." (153) "Reliability standards" include requirements for "existing bulk-power system facilities, including cybersecurity protection, and the design of planned additions or modifications to such facilities." (154) The "bulk-power system" includes "facilities and control systems necessary for operating an interconnected electric energy transmission network" and "electric energy from generation facilities needed to maintain transmission system reliability." (155) Notably, the "bulk-power system" excludes "facilities used in the local distribution of electric energy." (156) The statute further directed FERC to certify an "Electric Reliability Organization" (ERO) to "establish and enforce reliability standards for the bulk-power system, subject to [FERC] review." (157) In 2006, FERC certified the North American Electric Reliability Corporation (NERC) as the ERO. NERC's principal members are owners, operators, and users of the bulk-power system. (158) Once NERC has developed a reliability standard, (159) it submits it to FERC for approval. If FERC disapproves of a standard in whole or in part, it is not given statutory authority to unilaterally modify the standard; however, it may remand the standard to NERC for further consideration. (160) FERC may also conduct formal rulemaking proceedings for submitted reliability standards to allow for comment by other interested parties. (161) Ultimately, to establish a mandatory reliability standard, FERC must determine that the standard, as filed, is "just, reasonable, not unduly discriminatory or preferential, and in the public interest." (162) Once approved by FERC, the reliability standard becomes mandatory for participants in the bulk-power system, and enforceable by NERC. (163)

      NERC documentation has suggested that while interoperability standards operate to ensure free exchange of information in the Smart Grid without logical barriers, reliability standards put barriers in place to protect the critical infrastructure assets of the bulk power system. (164) It has also indicated that NERC's understanding of the mandate set forth under 16 U.S.C. [section] 824o places the focus of reliability standards more on physical aspects of the grid, including "installed equipment" and "the operation and maintenance of cyber assets." (165) Reliability standards shape the behavior of "asset owners and operators," not "equipment and system designers, manufacturers, and integrators." (166) Notably, NERC documentation indicates that NERC does not believe that reliability standards are intended to "specifically protect telecommunications systems or communications paths," (167) underscoring the need for interoperability standards.

    2. NIST and the Interoperability Standard Development

      Process

      Under EISA, (168) NIST was given the "primary responsibility" of developing and coordinating a framework for "interoperability of smart grid devices and systems" that would "contribute to an efficient, reliable electricity network." Interoperability concerns the communication paths that exist between actors (169) along which they connect to "transmit, store, edit, and process the information needed within the Smart Grid." (170) Congress granted FERC the authority to review "work" prepared by NIST and, upon FERC's judgment that such work has led to "sufficient consensus," institute a "rulemaking proceeding to adopt ... standards and protocols ... necessary to insure smart-grid functionality and interoperability in interstate transmission of electric power, and regional and wholesale electricity markets." (171) However, Congress did not define "work," "sufficient consensus," or "adopt." Also notably missing from the legislation was an enforceability provision.

      In November 2009, NIST established the Smart Grid Interoperability Panel (SGIP) to coordinate the development of nonmandatory interoperability standards. (172) SGIP's members represent twenty-two Smart Grid stakeholder categories and "[a]ll seven integrated domains of the power system--customers, markets, service providers, operations, bulk generation, transmission, and distribution." (173)

      NIST standards may only gain regulatory significance if they become part of a rulemaking proceeding by FERC under 42 U.S.C. [section] 17385(d). (174) Notably, though, EISA does not provide express authority to enforce interoperability standards created under the statute to either NIST or FERC, unlike the clear grant of enforcement authority for reliability standards under the EPAct. (175) FERC's position is that EISA did not grant it the authority to make or enforce mandatory interoperability standards. (176) As a result, to promulgate enforceable mandatory interoperability standards under the current EISA regime, FERC would have to reinterpret its own authority. Standards set forth after such a change in policy present an issue because they may be invalidated as "arbitrary and capricious" under the Administrative Procedure Act. (177)

      FERC has interpreted its own authority under EISA as including adoption of standards that would "be applicable to all electric power facilities and devices with smart grid features, including those at the local distribution level and those used directly by retail customers so long as the standard is necessary for the purpose [of 16 U.S.C. [section] 8240]" (178) This interpretation represents a jurisdictional reach greater than the one in the reliability sphere. (179) FERC's position met with significant opposition from members of the electricity industry and PUCs. (180) Industry members asserted that technical standards are typically developed and adopted by the private sector on a voluntary basis, while PUCs claimed that they retained jurisdiction over distribution-level projects. (181) One argument set forth by utilities and PUCs in protecting their activities from mandated technical requirements was that "mandated standards preserve technologies in amber, making them potentially obsolete later." (182)

      These statutory ambiguities and jurisdictional conflicts have led to a stalemate: to date, FERC has not mandated any technical interoperability standards. NIST only made one attempt to submit standards to FERC for consideration in a potential rulemaking proceeding. On October 6, 2010, NIST notified FERC that it had "identified five families of standards as ready for consideration by regulators." (183) Ultimately, FERC issued an order on July 19, 2011 finding that there was "insufficient consensus" to institute a rulemaking proceeding on the five families of standards. (184) Since then, no other standards have been submitted to FERC by NIST. However, NIST has continued to develop voluntary standards and prepare comprehensive reports analyzing, in great detail, the many communication interfaces existing within the Smart Grid and offering suggestions on how to enhance their security. In fact, fifty-six voluntary standards have been approved through the SGIP process, (185) and subsequently added to SGIP's Catalog of Standards. (186)

      The security deficiencies that can arise from reliance upon voluntary standards were illuminated in a report developed by Congressmen Edward J. Markey and Henry A. Waxman, then-Chairman of the House Subcommittee on Energy and Environment and then-Chairman of the House Energy and Commerce Committee, respectively. The report identifies both mandatory and voluntary NERC standards (187) and polled utilities about their compliance with each. (188) The Senators found that most utilities only comply with mandatory cybersecurity standards, without implementing voluntary NERC recommendations. (189)

      The utilities' failure to implement adequate cybersecurity standards is also demonstrated in another report prepared by the DOE's Inspector General, which showed that while ninety-nine grants were awarded by the DOE under its "Smart Grid...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT