‘Constant’ cyberattacks have FERC’s full attention

Source: Rod Kuckro, E&E News reporter • Posted: Thursday, April 19, 2018

The Federal Energy Regulatory Commission has stepped up its attention to “constant” attacks on the nation’s energy infrastructure, Chairman Kevin McIntyre said yesterday at a wide-ranging hearing before the House Energy and Commerce Subcommittee on Energy.

“The issue that you raised here — we would be hard-pressed to identify one of greater concern to us as an energy industry, as regulators of that industry,” McIntyre said in response to questioning from panel Chairman Fred Upton (R-Mich.).

McIntyre was joined by his four colleagues in the rare appearance on Capitol Hill by the full commission to speak about its budget and operations.

“Attacks are constant on not just governmental entities but the companies that we regulate,” he said. “Success, that is what varies.”

Upton disclosed that commissioners have been offered classified briefings on cyber-related threats. McIntyre said those briefings are being scheduled but that FERC staff is working “on a daily basis” with other agencies, including the departments of Energy and Homeland Security, and the Transportation Security Administration.

“Our level of engagement on this will only continue to increase,” he said.

Asked by Upton whether FERC needs any additional authority to deal with cyberthreats, McIntyre said, “That’s a good question. I don’t have a specific area right now that we would need broader statutory authority.”

Commissioner Neil Chatterjee represents FERC on the Electric Subsector Coordinating Council, the principal liaison between federal government leaders and the electric power sector.

Cyber risk is “the new reality that we must contend with,” he told the subcommittee.

“As we benefit and gain from the technological innovation that’s taking place in this space, we have to be cognizant that it comes with a downside risk of increased cyber vulnerability,” he said.

Commissioner Cheryl LaFleur, who disclosed she has a classified briefing today, is in her eighth year on the commission and once served as chairwoman.

“Hacks on the grid are constant. Every year, electric grid attacks are either a slight majority or slightly below 50 percent” of all cyber assaults in the U.S., she said.

“They’re very infrequently successful with the electric grid,” she said, crediting standards developed and approved by FERC in recent years.

‘Real weaknesses’

LaFleur suggested that more needs to be done “across different infrastructure sectors,” such as electric, water, natural gas and finance, where common interests and problems exist. “That’s where there’s real weaknesses,” she said, “in sharing information and learning from each other.”

Commissioner Robert Powelson made cybersecurity a centerpiece of his prepared testimony. He touted the commission’s outreach to state regulators to help them “build their internal capacities to address cyber.”

Powelson brandished a copy of a “checklist” developed by FERC for state regulators to use in helping their utilities prepare for cyberthreats.

But the process of educating state officials is time-consuming, Powelson said, and FERC “could certainly use more boots on the ground” to do so, saying the agency has 20-25 staff members “fully engaged in this issue.”

Asked by Rep. Bob Latta (R-Ohio) whether cyber standards need to be revised, Powelson said that some in industry already think some “current reporting requirements are a little onerous.”

But he also said: “I would refrain from saying that because we can’t really cut corners on cybersecurity. We’ve got to give you all peace of mind that we are protecting and applying the needed resources to protect the bulk power system. These threat vectors are changing radically, daily.”

Latta asked whether FERC was considering how to strengthen how it protects information collected from utilities and shared with third parties.

Powelson replied that FERC is working with the North American Electric Reliability Corp. to refine some standards including “vendor remote access to data, software authenticity, information system planning and vendor risk management. This all coincides with what I call best practices around cyber hygiene.”

Latta also asked about the recently disclosed hack of FERC’s internal systems.

“We’re still looking at that issue, making assessments on what kind of data might have been exposed,” Powelson said.

“We seem to be in a good spot in developing the proper protocols around fishing expeditions and making sure that we are hygiene proficient as well,” he said.

Twitter spat

Rep. Bill Johnson (R-Ohio) asked Powelson to explain his swift reaction on Twitter to recent comments by Murray Energy Corp. CEO Robert Murray that “FERC did not do its job when it rejected” Energy Secretary Rick Perry’s request to order financial support for coal and nuclear plants unable to compete in power markets. In his remarks, Murray had called FERC a “feckless” agency.

Powelson quoted Murray in an April 10 tweet not long after the CEO’s comments were reported, saying, “I challenge Mr. Murray to a debate on CNBC or Fox News.”

But the debate tweet did not last long and was deleted. “I refrained from going down that path. I thought it was inappropriate, and I dialed it back rather quickly,” Powelson told Johnson.

“I take offense to the word feckless being used” to describe the agency, the commissioners “and the 1,320 employees that show up to work every day to do their job,” Powelson said.

“That term was what again?” Johnson asked.

“Feckless.”