Organizational Changes at FERC On Cybersecurity Highlighted by Chatterjee, FERC Staff

This post appears as published in Foster Report No. 3276

With energy infrastructure cybersecurity rising in importance, FERC has made some organizational changes to enhance the focus of in-house experts at the Commission and improve collaboration with other agencies, FERC Chairman Neil Chatterjee said at the recent open meeting.

The meeting also included a presentation from FERC staff on five different cybersecurity focus areas among the Commission’s offices. One of those areas is improving industry access to timely information on threats and vulnerabilities, as it is crucial to enable companies to act on relevant, time-sensitive data on threats and vulnerabilities, staff said.

Both the staff presentation and Chatterjee noted a couple office changes to improve security protection, with FERC staff establishing a new security-focused group within the Division of Dam Safety and Inspections among the hydropower projects team in the Office of Energy Projects (OEP). The new group will focus on physical and cyber concerns for security matters at hydropower facilities, including inspections, risk analyses, and identification of vulnerabilities.

The formation of the new group will allow dam safety engineers to focus on traditional safety measures while the new security group will focus on physical and cyber efforts on security, FERC staff explained.

The Office of Electric Reliability (OER) also has realigned functions of staff to enable more focus on cybersecurity among those with experience in the area of critical infrastructure protection (CIP) reliability standards, FERC staff said. CIP reliability standards are developed by the North American Electric Reliability Corp. and reviewed/approved by FERC, with industry compliance monitored by FERC.

Chatterjee explained the change in OER at the beginning of the November 21 meeting, describing the move as a means to improve implementation of FERC responsibilities under Section 215 of the Federal Power Act. The change creates a new division of cybersecurity within OER, effective November 24, he said.

Before the change, one division was responsible for overseeing development of all reliability standards and enforcing compliance with CIP standards, while a different division had oversight of compliance with non-CIP standards. The change creates a Division of Cybersecurity within OER that will focus on development of and compliance with CIP standards. The Division of Operations and Planning Standards will focus on development of and compliance with non-CIP standards, Chatterjee explained.

The change will enable each division to concentrate on the full life cycle of standards development and industry compliance, which is critical given the rapid evolution of cyber threats and advances in technology, he said.

The new security group in OEP and the realignment in OER will consolidate cybersecurity staff to allow them to focus solely on cyber issues and concerns. The reorganization should promote a more efficient execution of FERC’s reliability authority under the FPA, Chatterjee said, thanking FERC staff for their efforts in facilitating the change.

Commissioner Richard Glick said the organizational changes are a great idea and an improvement in how FERC carries out its security responsibilities. After the staff presentation, he asked if the Commission imposes conditions on hydropower project owners for physical and cyber protections when it approves a hydropower license.

Staff answered that although the Commission does not typically include specific security requirements in a license, it can do so if there is a hydropower project that has unique vulnerabilities that FERC believes should be addressed.

Glick noted that natural gas pipeline security has been a concern of his, and he co-authored an op-ed with Chatterjee on the oversight capabilities and limited staff of the Transportation Security Administration (TSA), which has been the subject of inquiries from Congress and a critical report from the Government Accountability Office. Perhaps FERC should consider imposing conditions on pipeline certificates awarded under the Natural Gas Act as a means to address any security concerns on pipeline facilities, Glick suggested. He said he is simply putting the idea out there as a possibility.

It was not discussed further at the meeting, and it was not exactly welcomed by Chatterjee when he was asked about it at the press briefing after the meeting. The idea has been around a while and was examined by former FERC Chairman Norman Bay, Chatterjee said. There are levels of complexity associated with imposing such conditions in pipeline approvals, which is one of the factors that dissuaded Bay from making a change, Chatterjee said.

Chatterjee also noted that TSA Administrator David Pekoske has met with him at different times and assured him that the agency is taking its pipeline security responsibilities seriously. He is pleased with the progress made by the agency thus far in the area, he said.

During the staff presentation at the meeting, FERC staff said it is building upon outreach and coordination with other federal agencies, state regulators, industry groups, and the information sharing and analysis centers for natural gas, LNG, hydropower and electric infrastructure security. Staff in the Office of Energy Infrastructure Security is collaborating with TSA, the Department of Homeland Security, the U.S. Coast Guard and others on different cyber threats and mitigation measures.

This includes network architecture assessments of different facilities, staff said. Unlike the bulk electric system and the development of CIP standards through NERC, there are very few mandatory cybersecurity controls for hydropower facilities. “Likewise, natural gas pipelines are not subject to mandatory cyber security controls, but disruption of these pipelines could still have a significant impact” on the bulk power grid, staff said.

The development of the five focus areas for FERC staff was informed by a review of public and non-public threat reports, lessons learned from cybersecurity events around the world and existing CIP standards, FERC staff explained.

The five areas are: Adequacy of Security Controls; Industry Access to Timely Information on Threats and Vulnerabilities; Internal Network Monitoring and Detection; Cloud/Managed Security Service Providers; and Supply Chain/Insider Threat/Third-Party Authorized Access. Supply chain and insider threat issues are critical because the best security system is of little value if an attacker can simply bypass any security controls, FERC staff said.

The use of outside parties to manage security and cloud computing can provide security benefits by allowing energy providers to focus on their in-house operations and use trusted third parties for key security tasks. “However, more research needs to be conducted to determine if the most critical systems, such as those used for real-time operations, could be used in the cloud,” FERC staff told the commissioners.

Cloud computing is an evolving area and Chatterjee asked about the costs and benefits of moving some security functions to outside entities. There is an element of losing control for energy providers, but such steps can save money by turning over hardware and software requirements to outside entities, compared with ensuring security measures for in-house capabilities, staff said. The growth of third-party providers also allows energy companies to concentrate on areas they specialize in, staff noted.

By Tom Tiernan

Newsletter Sign Up