Safeguarding the electric grid against possible cyberattacks requires money and constant innovation, and a new group launched in 2016 wants utility regulators to make making those investments easier.
Protect Our Power is a not-for-profit organization focused on strengthening the U.S. electric grid's cyber defenses. The group has a bipartisan advisory panel made up of almost two dozen former White House, government and industry officials, including some from the U.S. Department of Homeland Security and the Edison Electric Institute.
The not-for-profit's job became even more urgent after the U.S. government officially recently accused Russia of coordinating attempted cyberattacks against U.S. energy infrastructure.
"The mission of the organization is to make meaningful progress on advancing the cybersecurity of our electric grid and providing assistance in funding that effort," said Suedeen Kelly, a former member of the Federal Energy Regulatory Commission who now is a partner in Jenner & Block's energy practice and serves as Protect Our Power's regulatory counsel.
Suedeen Kelly, regulatory counsel for Protect Our Power.
One of the group's main goals is to encourage utility regulators to update their ratemaking processes to facilitate and incentivize security spending. Currently, FERC and states typically require utilities to propose recovery for needed cybersecurity investments as part of broader comprehensive rate change requests rather than allowing them to make those proposals separately. But Kelly noted that large rates cases are a difficult undertaking, meaning utilities could forego needed security investments to avoid making that effort.
"Full-blown rate cases are very expensive and very time-consuming," Kelly said. "It's difficult for a utility to justify coming in for a rate case if it's only going to be seeking recovery of a few million dollars or a few million dollars a year."
According to Kelly, FERC has said it will "entertain" the idea of single-issue ratemaking for grid security spending at the transmission system level. Protect Our Power is urging a similar approach for distribution system spending, which typically is overseen by states, and is working with the National Association of Regulatory Utility Commissioners to promote that concept.
Another pillar of Protect Our Power's strategy is encouraging utilities to adopt cybersecurity "best practices" rather than simply relying on mandatory FERC-approved standards formed by the North American Electric Reliability Corp. Although NERC standards are "a good foundation" for protecting the grid, Kelly said, cyber threats constantly are evolving and often can get around existing standards.
"Our organization sees a need for an approach in the industry that is more nimble than the standard-making practices," according to Kelly. "In the ideal world, we'd like to see the industry voluntarily embark on and commit to a best-practices approach to cybersecurity."
To take that approach, she said, the bulk power sector could form an entity much like the Institute of Nuclear Power Operations — an industry-backed group created to promote operational excellence for the nuclear fleet following the accident at Three Mile Island in 1979.
FERC also could play in role in advancing the adoption of best practices; Protect Our Power plans to ask that agency to hold a technical conference on cybersecurity, Kelly said. The conference could look at defining and identifying best practices, potential challenges to their adoption, and costs for those technologies and processes.
"We are planning to make that request," Kelly said. "I don't know of the precise timing."
Possible action from DOE, Congress
Federal funding also will be key in improving utility cybersecurity.
Kelly said U.S. Department of Energy grants and other government financial support could help spur development and deployment of cybersecurity enhancements. She also praised the DOE's recent decision to form a separate office focused on cybersecurity, which will be called the Office of Cyber Security, Energy Security and Emergency Response.
With respect to possible congressional action, Kelly said she wants U.S. lawmakers to look at grid threats as a national security issue, which could free up more federal funding in the area. An anticipated infrastructure bill from Congress could be a vehicle for energy sector cybersecurity reforms, but Kelly said members of Congress and their staff did not seem to be prioritizing cybersecurity provisions for that bill.
"Cybersecurity has not been at the top of the list for most of them," Kelly said. "We're now talking to them about revising the priority list."
Whether it be Congress, the DOE or industry, Kelly said the power sector needs someone to lead the way on cybersecurity.
"I think there really needs to be a leader who will say, 'Steps forward are urgent and we're going to start making them now,'" Kelly said. "There are, of course, different industry groups and cooperatives, joint government-industry groups that have made some progress, particularly in getting clearances [and] providing for the sharing of information, and those are good foundational steps. But actually becoming cybersecure is what we need to do next."
Protect Our Power is 501(c)(4) organization, which enables the group to do lobbying work. The group now also has a 501(c)(3) arm, which can receive tax-deductible contributions but cannot by law perform lobbying activities.