June 9, 2020
Docket No. EL20-21-000
The Commission’s order in this proceeding denies the Complaint alleging that Reliability Standard CIP-014-2 (Physical Security) is “inadequate” and that “enforcement of the mandatory physical security standard seems nonexistent.” The order also denies the Complaint’s request for an order from the Commission directing the North American Electric Reliability Corporation (NERC) to correct these alleged deficiencies. Though the Commission’s reasoning in denying the Complaint is correct as a matter of law, I write separately to encourage NERC, regulated entities and the Commission to continually reassess the security of all assets used for the generation, transmission and distribution of electricity.[1]
Cyber and Physical Threats Are Real
The importance of electricity to the security and safety of the American people cannot be overstated. Virtually every aspect of our lives, our businesses, and our society depend on access to reliable and affordable electricity. Therefore, any realized threat to our electric system can have devastating effects on individuals, families, businesses, the economy and the nation. We know this; so do our adversaries.
In the summer of 2018, then Director of National Intelligence Dan Coats stated, referencing the attacks on our country of September 11, 2001, that “the warning lights are blinking red again” and “the digital infrastructure that serves this country is literally under attack.”[2] We know that this referenced infrastructure includes our bulk power system. It has been publicly reported that nations such as Russia, China, Iran, and North Korea, as well as terrorist organizations and non-state actors, have attempted to and have the capability and intent to infiltrate our electrical systems, primarily through cyber-attacks.[3] There is also a growing awareness that we need to be concerned about the supply chain for software and equipment used in the electric industry.[4] The ability to remotely interfere with our electric system through cyber-attacks creates real threats to the physical operation of the grid. The Commission, NERC and regulated entities have been working to address these threats and must continue to do so.
Physical attacks on electric infrastructure are also a real threat. For example, the event that prompted Reliability Standard CIP-014-2 (Physical Security) was the April 2013 physical attack on the Metcalf substation in San Jose, California. This attack involved individuals using rifles to target the 500 kV substation; seventeen transformers were damaged in the attack.[5] Similarly, in September 2016, an individual armed with a high-powered rifle successfully conducted a sniper attack in Utah, knocking out the Buckskin substation and causing a loss of power for 13,000 customers.[6]
It is also recognized that remotely controlled unmanned aerial vehicles, or drones, can be employed to attack energy infrastructure. As an example, we only need to consider the public reports that drones were likely used to attack and damage oil refineries in Saudi Arabia in September, 2019.[7] We also need to be vigilant about the potential threat posed by various forms of electromagnetic pulse (EMP) when considering electric infrastructure security.[8]
President Executive Order
Among other actions taken by Congress and the President, on May 1, 2020, President Trump issued an Executive Order on “Securing the United States Bulk-Power System.” In its preamble the Executive Order observes:
[F]oreign adversaries are increasingly creating and exploiting vulnerabilities in the United States bulk-power system, which provides the electricity that supports our national defense, vital emergency services, critical infrastructure, economy, and way of life. The bulk-power system is a target of those seeking to commit malicious acts against the United States and its people, including malicious cyber activities, because a successful attack on our bulk-power system would present significant risks to our economy, human health and safety, and would render the United States less capable of acting in defense of itself and its allies.[9]
To address these threats, the Executive Order prohibits the purchase or use of equipment for the electric grid that was manufactured by an entity under the control of a foreign adversary or that poses a national security threat.
FERC and NERC Responses to Cyber and Physical Security
Under the Energy Policy Act of 2005, FERC, along with NERC, oversees implementation and enforcement of mandatory reliability standards for both cyber and physical security in the bulk electric system.[10] Through the development of Critical Infrastructure Protection or CIP standards, we ensure that the assets that support the nation’s electricity supply comply with baseline standards for cyber and physical security. Though the Complaint at issue in this proceeding is denied, the work to secure the grid is ongoing.
The threats to the grid are real and we must remain vigilant. FERC and NERC have been working with industry to establish standards. But standards are only the beginning. In addition to these baseline standards, FERC and NERC must also work collaboratively with industry to establish best practices in addressing these threats. It is up to everyone to be vigilant and proactive in preventing attacks and mitigating security risks. As a Commission we need to work continually with NERC and the regulated community to ensure that our electric grid is secure against cyber and physical attacks.
For these reasons, I respectfully concur.
[1] I recognize that the Commission does not have jurisdiction over the local distribution of electricity or the siting and permitting of generation facilities; but due to the interconnected nature of the electric system, it is important that regulated entities and regulators be cognizant of the fact that threats to any part of the system can be a threat to the entire electrical system.
[2] See National Public Radio, Transcript: Dan Coats warns of continuing Russian cyberattacks (Jul. 18, 2018), https://www.npr.org/2018/07/18/630164914/transcript-dan-coats-warns-of-continuing-russian-cyberattacks.
[3] Department of Energy, Cyber Threat and Vulnerability Analysis of the U.S. Electric Sector at 20-23 (Aug. 2016), https://www.energy.gov/sites/prod/files/2017/01/f34/Cyber%20Threat%20and%20Vulnerability%20Analysis%20of%20the%20U.S.%20Electric%20Sector.pdf.
[4] See generally Reliability Standard CIP-013-1, Cybersecurity – Supply Chain Risk Management.
[5] Congressional Research Service, Physical Security of the U.S. Power Grid: High-Voltage Transformer Substations at 7 (Jun. 17, 2014), https://fas.org/sgp/crs/homesec/R43604.pdf.
[6] Peter Behr, Substation attack is new evidence of grid vulnerability, E&E News (Oct. 6, 2016), https://www.eenews.net/stories/1060043920.
[7] David Reid, Saudi Aramco reveals attack damage at oil production plants, CNBC ( Sep. 21, 2019), https://www.cnbc.com/2019/09/20/oil-drone-attack-damage-revealed-at-saudi-aramco-facility.html.
[8] See Executive Order No. 13865, 84 Fed. Reg. 12041 (2019); see also Department of Energy, Electromagnetic Pulse Resilience Action Plan (January 10, 2017), https://www.energy.gov/sites/prod/files/2017/01/f34/DOE%20EMP%20Resilience%20Action%20Plan%20January%202017.pdf.
[9] See Executive Order No.13920, 85 Fed. Reg. 26595 (2020).
[10] Energy Policy Act of 2005, Pub. L. No. 109-58, § 1211, 119 Stat. 941-46 (2005) (codified at 16 U.S.C. § 824o).