On March 26th, Representative Henry Waxman (D – CA 33rd District), introduced the following bill, H. R. 4298, “To amend the Federal Power Act to protect the bulk-power system and electric infrastructure critical to the United States against cybersecurity, physical, and other threats and vulnerabilities”, also referred to as the “Grid Reliability and Infrastructure Defense Act” or as it is hereinafter referred to as, the “GRID Act”.
As this entry’s title reflects, Representative Waxman’s legislation is in reaction to the devastating assault that took place during the early morning hours on April 16, 2013 outside of San Jose, California, where snipers discharged round after round of gunfire for a period of nineteen minutes at the Pacific Gas and Electric Company (“PG&E”)’s Metcalf Transmission Substation. As reported by the Wall Street Journal, the snipers disabled seventeen giant transformers that transmit electricity to Silicon Valley. Utility and grid operators narrowly prevented a blackout by rerouting the electricity to other transmission segments in the area. It took utility workers twenty-seven days to repair the Metcalf facility. John Wellinghoff, former Chairman of the Federal Energy Regulatory Commission called the attack, “‘the most significant incident of domestic terrorism involving the [electrical] grid that has ever occurred’ in the U.S.” For more on the Metcalf incident: Metcalf WSJ Article.
The GRID Act seeks to amend Section 215 of the Federal Power Act (16 U.S.C. 824o) by adding Section 215A., entitled, “Critical Electric Infrastructure Security”. The Federal Power Act confers the Federal Energy Regulatory Commission (“FERC”) with jurisdiction to regulate the electric utility industry. In 2005, Congress passed the Energy Policy Act of 2005, amending the Federal Power Act, and creating Section 215. Section 215 of the Federal Power Act authorizes FERC to certify a national electric reliability organization (“ERO”) to establish and enforce reliability standards for the bulk power system. FERC has conferred ERO certification on the North American Electric Reliability Corporation, also known as (“NERC”). For more information: NERC website.
On February 7th, Senators Harry Reid (D – NV), Ron Wyden (D – OR), Dianne Feinstein (D – CA), and Al Franken (D -MN), wrote to Cheryl LaFleur, Chairman of FERC and Gerry Cauley, President and CEO of NERC “requesting that FERC and NERC utilize their authorities under the electric reliability provisions of [the Federal Power Act] to determine whether additional minimum standards regarding physical security at critical substations and other essential facilities are needed to assure the reliable operation of the bulk power [system].” See Senators’ letter: here.
On February 11th, Chairman LaFleur responded stating that: “Congress could improve the Commission’s and NERC’s ability to address risks related to physical and cyber attacks by enhancing the confidentiality of sensitive security information concerning physical or cyber threats to, or vulnerabilities of, the bulk power system…Congress should consider designating a federal department or agency…with clear and direct authority to require actions in the event of an emergency involving a physical or cyber threat to the bulk power system. This authority should include the ability to require action before a physical or cyber national security incident has occurred. This authority should not impede FERC’s existing authority under Section 215 of the Federal Power Act to approve reliability standards developed by NERC through its current processes.” See LaFleur Letter: here.
The GRID Act largely seeks to identify and remedy “Defense Critical Electric Infrastructure Vulnerabilit[ies]”, defined in Section (a)(3) of the Act as “a weakness in defense critical electric infrastructure that, in the event of —
(A) a malicious act using electronic communication or an electromagnetic pulse, would pose a substantial risk of disruption of those electronic devices or communications networks, including hardware, software, and data, that are essential to the reliability of defense critical electric infrastructure; or
(B) a direct physical attack on defense critical infrastructure, would pose a substantial risk of significant adverse effects on the reliability of defense critical electric infrastructure.”
Section (b) of the GRID Act outlines “Emergency Response Measures”, which confer power to the President to identify an imminent grid security threat and direct FERC to issue such orders for emergency measures as are necessary in its judgment to protect the reliability of the bulk-power system or of defense critical electric infrastructure against such threats. Once Emergency Response Measures are triggered, Congress must be notified.
Section (c) seeks to establish “Measures to Address Grid Security Vulnerabilities”. This section confers FERC with the authority to identify a grid security vulnerability, and to promulgate a rule or issue an order requiring implementation, by any owner, operator, or user of the bulk-power system, of measures to protect the bulk power system against such vulnerability. Section (c)(2) requires that FERC promulgate a rule or issue an order to remedy “existing cybersecurity vulnerabilities”.
A more comprehensive measure the GRID Act seeks to trigger is to ensure “Large Transformer Availability”. Section (c)(4) of the GRID Act addresses this mandate, which requires FERC to issue an order directing NERC to promulgate reliability standards addressing the availability of large transformers. “The standards shall require entities that own or operate large transformers to ensure…adequate availability of large transformers to promptly restore the reliable operation of the bulk-power system in the event that any such transformer is destroyed or disabled as a result of a reasonably foreseeable physical or other attack or geomagnetic storm event.” The Metcalf incident saw seventeen large transformers disabled and destroyed. Many utilities and grid operators do not have a stock pile of large transformers, which can serve as replacements if a Metcalf like event occurs. The mandate in Section (c)(4) seeks to put in place measures to ensure that swift repairs to facilities can be made if an attack does indeed occur.
Section (d) requires the President to provide FERC with a disclosure of U.S. facilities that are “critical to the defense of the United States; and vulnerable to a disruption of the supply of electric energy provided to such a facility by an external provider.” If FERC identifies a defense critical electric infrastructure vulnerability in any of the facilities disclosed by the President, FERC has the authority to promulgate a rule or order requiring implementation of protective measures for that facility.
Section (e) of the GRID Act prohibits public disclosure of protected information, such as where vulnerable facilities are located. This section also governs how protected information is shared, submitted to Congress, and the duration for which certain information is protected, removal of its protected status, and how to challenge its protected status. This is another Section that Chairman LaFleur’s February 11th Letter influenced.
For more information and further reading of the GRID ACT, click here.
Thank you for reading the first blog post here at FERCBlog.com. New posts will be made available at least every two weeks, and more frequently when time and news permit. Please subscribe to the blog if you have not already via Email or RSS. You can also follow FERCblog on Twitter, Linkedin, and Facebook.
