Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Connected Government
- Consolidating Mission-critical Systems
- Constituent Servicing
- Continuous Monitoring: Tools and Techniques for Trustworthy Government IT
- The Data Privacy Imperative: Safeguarding Sensitive Data
- Eliminating the Pitfalls: Steps to Virtualization in Government
- Federal Executive Forum
- Federal Tech Talk
- Government Cloud Brokerage: Who, What, When, Where, Why?
- Government Mobility
- Mission-critical Apps in the Cloud
- Mobile Device Management
- The Modern Federal Threat Landscape
- The Path from Legacy Systems
- Understanding the Intersection of Customer Service and Security in the Cloud
Shows & Panels
FERC goes back to Congress again for more cyber oversight
Thursday - 7/19/2012, 5:12am EDT
"Despite its active role in approving reliability standards, FERC's current legal authority is insufficient to assure direct, timely and mandatory action to protect the grid," Joseph McClelland, director of the FERC Office of Electric Reliability, told the Senate Energy and Natural Resources Committee.
McClelland said his agency's effectiveness in preventing cyber attacks on electric systems is limited by a slow, unpredictable process for developing rules and standards that grid operators can use to protect their systems from cyber malice. The problem, he said, is magnified as more utility operators install networked smart-grid technology.
Joseph McClelland, director, FERC Office of Electric Reliability
FERC derives part of its grid-protecting mandate from the Energy Independence and Security Act of 2007, which promotes the adoption of new technologies for the electric system. But the law does not provide the agency with authority to enforce the standards it approves. Only part of the electric system falls under FERC's jurisdiction.
"Much of those technologies are implemented and deployed at the distribution level, which is more under the purview of the state regulatory commissions and others," said Greg Wilshusen director of information security at the Government Accountability Office.
Not the first time
Lawmakers have attempted to increase FERC's authority in the past. In 2008, Reps. Bennie Thompson (D-Miss.) and Jim Langevin (D-R.I.) promoted legislation that would have given the agency authority to require power plants to immediately fix cybersecurity holes. Lawmakers have pushed other bills to address the issue, but to no avail.
Once again, FERC asked senators to draft legislation that addresses FERC's concerns.
"First, legislation should allow the federal government to take action before a cyber or physical national security incident has occurred," McClelland said. In addition, Congress should avoid limiting additional authority to the bulk power system, which excludes certain critical facilities in major population areas.
But some regulators say the existing process works well as is and that the government's role over electric utilities should remain limited.
"We think we've got an adequate handle," said Todd Snitchler, chairman of the Public Utilities Commission of Ohio. "We have been able to work closely [with utilities] to make sure that they are operating in a way that gives us a level of comfort that they have sufficient security going forward."
Sharing of threats poses challenges
Snitchler also said he worries about the feasibility of efforts to encourage utility companies to share information about threats to their systems with the federal government and other companies. The proposal is part of a number of legislative efforts to improve cybersecurity.
"Like other state commissions, it's sometimes a challenge to have our utilities come in and disclose the weaknesses in their system," he said. "And so the issue of confidentiality again rears its head even at the state level as we try to protect that information and prevent it from becoming part of the public domain."
Some companies worry information about their vulnerabilities might be used against them if publicly disclosed. But one idea seeks to address the concern.
Companies' vulnerability disclosures should be anonymous, allowing companies to share details without putting their names on the line, Wilshusen said.
This story is part of Federal News Radio's daily Cybersecurity Update. For more cybersecurity news, click here.