FERC pressed on gas, renewables, cyber threats

Source: By Peter Behr, E&E News • Posted: Sunday, October 3, 2021

Federal Energy Regulatory Commission Chair Richard Glick on Capitol Hill in July. Francis Chung/E&E News

Operators of the nation’s power systems told federal regulators that the time for talk is over in girding the grid for a clean energy transformation and the threats of devastating weather and cyberattacks.

“I feel like I’m on the train track at the end of the tunnel, and the light is getting bigger and bigger,” said Peter Brandien, an official of ISO New England, speaking to a conference yesterday on the power grid’s future at the Federal Energy Regulatory Commission.

FERC needs to order U.S. grid operators to spell out risks they face from extreme weather, the shift to variable wind and solar power, and hacking threats — and detail what they’re doing about it, said Brandien, the New England grid operator’s vice president for systems operations and market administration.

“The time for talking is past us, and we have to mandate people to do this,” he said.

Former FERC Chair Cheryl LaFleur, another speaker at the session who is currently a board member of ISO New England, urged the commission to go ahead with a policy she said the agency is considering that would require forward-looking assessments of risks and actions required to maintain the system’s reliability.

Today, grid planners do not look ahead systematically to equip their systems to withstand high-impact, severe weather assaults, she said. That must change.

The goal should be to “focus on standards that drive the identification and management of evolving risks,” said LaFleur, a Democrat who helmed FERC at various times from 2013 to 2017. She left the independent agency in 2019.

The call for action was welcomed by Democratic FERC Chair Richard Glick, who has pledged a stronger agency response to climate change, cyberthreats and extreme weather like the winter storm that knocked out power to millions of customers in Texas earlier this year (Energywire, Sept. 29).

“Look at the pictures from the devastation from the wildfires, the devastation from the hurricanes. Talk to the families of those people who froze to death this past February in Texas because they didn’t have electricity,” Glick said. “This is serious business here. We need to do something about it.”

James Robb, chief executive of the North American Electric Reliability Corp., which drafts grid reliability and security regulations it submits to FERC for approval, saw the same urgency in ending a yearslong debate about the divided federal regulatory oversight of the U.S. interstate power grid and the interstate gas pipeline system. FERC has no authority over pipeline security and reliability — a gap exposed by the gas system outages during the cold wave and blackout in Texas.

“We really need to stop admiring this problem and put solutions into action,” Robb said, promising to support a proposed conference of grid and gas-sector leadership and regulators on the issue.

Under the current policy, created by Congress in 2005 following the Northeast blackout two years before, FERC has assigned NERC to draft mandatory reliability and security regulations for the commission’s approval, and to monitor compliance. NERC does this through committees of utility executives and outside experts, whose recommendations require a supermajority approval vote before submission to the commission. Serious violations may be punished with fines imposed by FERC.

The process is inherently slow-moving because standards are drafted and voted on by officials of the companies that will have to comply with the rules, LaFleur said. The companies “have a natural fear of enforcement,” and that tends to produce watered-down rules that most in the industry can agree with, she added.

“Moving forward, it will be important to guard against such overconservatism if the standards are to adapt to the needs of the future grid,” LaFleur said. “I believe it may be necessary for the commission to signal a less enforcement-oriented regime as the standards are developed to meet these evolving risks that are not well understood.”

Several representatives from major U.S. grid operators seconded calls for the federal government to address the need to plan for evolving risks.

“Really, what we’re looking forward to … is moving past the discussion … and seeing the commission take action,” added Christopher Pilong, director of operations planning at the PJM Interconnection.

Natural gas, cyberthreats

Glick has urged Congress to give the commission authority to set reliability and cybersecurity regulations for natural gas pipelines that supply generators, which deliver around 40 percent of U.S. electricity.

“I think we need to bring the two sides together and kind of knock heads and suggest we really need to make changes here,” he told the Senate Energy and Natural Resources Committee this week.

Under President Biden’s proposed energy strategy, natural gas generation would shrink as renewable power expands — but it will remain an indispensable backup when wind and solar output is missing, according to Glick.

“It is the fuel that keeps the lights on,” he said.

Glick did not get support, however, when he asked a panel of cybersecurity experts yesterday about creating a “white list” of approved equipment vendors supplying critical equipment and controls to U.S. grid operators, or a “black list” of unapproved suppliers that could pose security risks.

At the top of the conference agenda yesterday was the persistent threat of malware-infected vendor software, driven home late last year by the breach of a widely used system management tool from Austin-based technology company SolarWinds. Thousands of unknowing SolarWinds clients downloaded a hacked version of the supplier’s Orion software platform, leaving their systems compromised.

Jennifer Sterling, vice president for security compliance at Exelon Corp., said FERC’s current push to require tighter cybersecurity for grid companies’ vendors is not succeeding.

“We need to do 450 security risks assessments [of Exelon vendors], and we need to keep track of how our vendors are responding,” Sterling said. “As big as we are, we do not have the resources to verify each of the responses that all of our vendors are giving us.”

She called for forging “strong partnerships with the government” to help fix the problem, beginning with better threat alerts from intelligence agencies.

“If the government has specific, actionable intelligence, it needs to be shared,” Sterling said, using virtually the same plea that Exelon officials and other grid leaders have been making for years.

Tony Hall, manager of the FERC regulatory program at Louisville Gas and Electric Co. and Kentucky Utilities Co., agreed. “The only way to solve this issue is a strong partnership between government, industry and suppliers,” Hall said. FERC and NERC “cannot force requirements on industry of which industry has no control to manage,” he said.

White lists, however, are not the answer, said the FBI’s Matthew Halvorsen, strategic program manager for the Supply Chain and Cyber Directorate at the National Counterintelligence and Security Center.

“It’s out of date 10 minutes after you make the list,” he said.

Puesh Kumar, acting principal deputy assistant secretary at the Energy Department’s Office of Cybersecurity, Energy Security and Emergency Response, suggested using a risk-based approach that identifies the most critical supply chain devices and systems, and investigates where on the grid they are being used and what would be the consequences if they were disabled.

“I understand the attractiveness” of the list idea, said NERC’s chief executive, Robb. “Administratively, it is almost impossible.”