View recent news coverage highlighting interviews and quotes from LPPC.
April 6, 2017
By John Di Stasio
For more than a decade, electric utilities, the U.S. government and other organizations have been building a robust and multi-faceted defense against cyberattacks that would disrupt the operations of the U.S. electric grid. At the same time, the cyber threat has evolved, the number of attacks has increased and the nature of attacks has advanced. The security that we’ve gained isn’t fail-safe against new and emerging threats. The risks and challenges posed by this type of dynamic risk require a defense in depth that includes a focus on prevention, resiliency and recovery.
The capabilities of the electric utility industry in each of these areas have grown significantly over the past decade, increasing our knowledge of the threat environment, known threat vectors, and best practices aimed at building a mature and flexible security posture. As Congress and the Trump administration explore technology advancements to minimize cybersecurity threats, it’s important to consider how we got here.
As far back as 1999, the realities of an increasingly digital world, and the related risks, became a national focus. There was a comprehensive national effort to prepare for “Y2K” and potential disruptions to digital systems as we entered a new millennium. In 2005, through the Energy Policy Act, Congress approved the process for mandatory, enforceable reliability standards for the bulk power system. In 2007, Idaho National Laboratory’s “Aurora” experiment suggested that control systems for generating stations might be hacked and manipulated. In December 2015, a cyber attack on the Ukrainian grid underscored concerns over the grid’s vulnerability.
Fortunately, in each case, we increased our knowledge and evolved our defenses through collaboration, standards, exercises, information sharing and best practices designed to harden the defenses of the electric grid. We had the benefit of developing these capabilities without the consequences of an actual event disrupting our national grid.
The electric industry has always held reliability of service as its highest priority, and we are approaching the deterrence of the threats of tomorrow with the same focus and rigor as we have in defending against past and current threats.
We have implemented the nation’s only mandatory suite of cyber security standards, the Critical Infrastructure Protection standards, promulgated by the Federal Energy Regulatory Commission, and the North American Electric Reliability Corporation (NERC). We have increased our situational awareness through expanded coordination with the Electricity Information and Analysis Center and the Industrial Control Systems Cyber Emergency Response Team. We have also expanded our partnership with government through participation in the Electric Sub-Sector Coordinating Council and the Department of Energy’s Office of Energy Delivery and Reliability.
The ESCC has recently established a Cyber Mutual Assistance program to allow for timely support in the face of a cyber attack to any member utility or group of utilities. This model has long been in place to address extreme weather outages so we have a long history of practicing mutual aid. We also share best practices through our national associations to raise the individual and collective cyber-readiness of the industry.
After more than a decade of public and private sector collaboration and engagement, the foundation and framework is in place for a multi-faceted defense in depth. But we know we cannot stand still.
There is much yet to be done to anticipate new cyber threats and to continue to build our security capacity and capability. We welcome the opportunity to work with policymakers and regulators as they grapple with this national security risk, but we continue to believe that the flexible, risk-based framework we’ve built together gives us the chance to evolve our mitigation as the risks evolve.
An earlier version of this op-ed incorrectly stated NERC’s full name.
John Di Stasio is president of the of the Large Public Power Council and formerly served as the CEO of the Sacramento Municipal Utility District.
# # #
March 29, 2017
By Blake Sobczak
Senators of all political stripes voiced support yesterday for exploring new strategies to thwart cyberattacks on the U.S. power grid, including a plan for keeping the lights on without relying on the internet.
Sen. Angus King (I-Maine) urged electricity sector experts to consider whether "back-to-the-future answers" — such as manual backup operations at critical points in the power grid — "might protect us from the kind of attack that we know is coming.
"This qualifies as an emergency, and I hope we can act promptly," King said at a Senate Energy and Natural Resources Subcommittee on Energy hearing yesterday, as he called for a $10 million, two-year grid cybersecurity study (E&E Daily, March 27).
King's bill, S. 79, the "Securing Energy Infrastructure Act," was largely welcomed by witnesses at the hearing. But experts warned against letting strong cyberdefenses come at the expense of other hard-won innovations.
"A broad-scale reversion to pre-digital technology is uneconomic, unjustified and perhaps even impossible," said Michael Bardee, director of the Office of Electric Reliability at the Federal Energy Regulatory Commission, in prepared testimony.
"But I do not see S. 79 as proposing such action," he added, noting that the legislation "could potentially aid the utility industry, FERC and others to maintain a secure electric grid" by setting up an interagency working group to examine the problem.
Bardee suggested King add FERC to the proposed list of members on the working group, which now includes the departments of Defense, Energy and Homeland Security; intelligence community; and the North American Electric Reliability Corp., the nonprofit grid overseer.
The bill was first introduced last summer in response to a series of eye-opening cyberattacks on Ukraine's power grid. In December 2015, hackers used stolen usernames and passwords to break into three Ukrainian utilities' operating networks and cut off power to about a quarter of a million people. The victim companies were able to restore electricity only after reverting to "manual mode" — dispatching employees to flip switches at remote facilities.
A year later, hackers struck again at another Ukrainian power company, temporarily severing electricity at a transmission-level substation (Energywire, Jan. 11).
"If we aren't prepared for cyberattacks, a Ukraine-like situation could take place in the U.S.," said Energy Subcommittee Chairman Cory Gardner (R-Colo.) at the outset of yesterday's hearing. He added that "hackers are certainly trying to create that kind of havoc in the U.S."
Thomas Zacharia, deputy director for science and technology at Oak Ridge National Laboratory, noted that his agency would be called on to support the working group if King's "retro" security bill is enacted.
He told senators that a "two-year pilot to really explore what is possible, to get out in front of this evolving challenge, is probably the best thing we can do."
Industry speakers at the hearing pointed to existing efforts to lock down the power grid from hackers.
John Di Stasio, president of the Large Public Power Council, which represents some of the biggest locally owned utilities in the country, said his group supports the "Securing Energy Infrastructure Act" on the condition that it doesn't get ahead of any existing cybersecurity requirements set by NERC.
"We've got a very robust cyber compliance and enforcement program," he said, noting that the industry has come "a long way" in improving cyberdefenses over the last 10 years. "I feel like we've got some of the essential building blocks in place."
Ben Fowke, CEO of Minneapolis-based utility Xcel Energy Inc., offered a tepid endorsement of King's bill, noting that Xcel "does not object" to the legislation based on its voluntary nature and liability protections for companies that contribute to the working group.
Fowke was more supportive of broader efforts to streamline the government's handling of cybersecurity, such as an effort by Gardner and Sen. Chris Coons (D-Del.) to create a Select Committee on Cybersecurity to cut down on some of the overlap in Congress.
"We just need to coordinate better," said Fowke. "There's a lot of work being done, but it's being done by a lot of agencies, it's being done by a lot of congressional committees. ... I think we're getting better at coordinating, but the bad actors are getting better at attacking us at the same time."
# # #
POLITICO's Morning Cybersecurity: John Di Stasio Quote at Senate Cyber Security Hearing
POLITICO's Morning Cybersecurity
March 29, 2017
By Tim Starks
STANDALONE CYBER? - Sen. Cory Gardner on Tuesday stumped for his bill that would place cybersecurity under one Senate committee. At a hearing of the Senate Subcommittee on Energy, which Gardner chairs, the Colorado Republican asked an energy executive whether such consolidated congressional oversight would benefit the nation's power grid. "Yes, senator, I think that would," said Benjamin Fowke, head of the major utility firm Xcel Energy. "We just need to coordinate better."
Later in the hearing, Sen. Angus King broke from his line of questioning to praise Gardner's effort. "By the way, Mr. Chair, I like the idea of the select committee," he said, before joking: "You get to tell [Senate Armed Services Committee Chairman John McCain] that you're taking cyber away from Armed Services." Gardner playfully noted that McCain had actually co-sponsored the bill, adding with a laugh, "I don't know if he knows the full implication of it."
Sen. Al Franken also used the hearing to highlight the White House's proposal to reduce funding for an Energy Department office that helps coordinate digital security measures with the energy sector. The Trump administrations recently released "skinny budget " indicated the DOE's Office of Electricity Delivery and Energy Reliability would get less money as part of broader cuts to the agency's budget. At Tuesday's hearing, John Di Stasio, president of the Large Public Power Council - whose members include over two dozen of the nation's largest public power systems - said his council had "worked closely with the office ... to develop smart grid and so forth, but also on reliability risks related to cyber."
# # #
CYBERSCOOP: Electric Power Industry Puts Cybersecurity to Forefront with Trump, Lawmakers
March 28, 2017
By Chris Bing
Electric power industry executives are pushing to have their cybersecurity concerns heard by Congress and the Trump administration.
A Senate Energy and Natural Resources Committee hearing on Tuesday — convened to discuss how the government can better coordinate with the private sector on power grid security, incident response and other cyber threat information sharing efforts — is the latest example for how the industry is reaching out to Washington.
Last week, electric power company and trade group representatives also met with top administration officials, including Secretary of Energy Rick Perry and Jeanette Manfra, the acting deputy undersecretary for the Homeland Security Department’s cyber division, Politico first reported. The group spoke about relevant, shared security goals and priorities, and where the government can offer assistance.
Energy companies face substantial risks in cyberspace, experts say, and threats can directly affect physical systems and human life.
John Di Stasio, President of the Large Public Power Council, told lawmakers Tuesday that because cyberthreats aimed at the electric grid evolve so rapidly, the industry typically prefers “flexible” cybersecurity regulations. Di Stasio said that while the government can play an important role in defending U.S. critical infrastructure, he disapproved of Congress rushing out new, potentially constraining compliance standards.
Another topic of significant concern for Tuesday’s four-person panel was the lack of actionable intelligence provided to the electrical power industry by government agencies about hackers.
“We need help getting the information,” Xcel Energy President Ben Fowke III told Cory Gardner, R-Co. “Quite often by the time we hear about a potential threat from the government, we’ve known about it for a long time through private sources or industry communication. And I think the reason for that is that we struggle on taking what could be classified information, declassifying it and getting it out quickly.”
There are some signs in Congress that future legislation may help spur collaborative public-private security research and information sharing programs.
A bill introduced last year by committee member Angus King, I-Maine, named the “Securing Energy Infrastructure Act,” or S. 79, was discussed during the hearing. As it is currently written, the legislation would establish a $10 million pilot program within the Energy Department’s national labs to research new cybersecurity technologies and find security vulnerabilities evident in products used by private energy companies. This vulnerability research would be shared with private sector partners.
“The effort proposed in S. 79 could potentially aid the utility industry, FERC and others to maintain a secure electric grid,” Michael Bardee, Director of the Office of Electric Reliability at the Federal Energy Regulatory Commission, wrote in a prepared testimony for the committee. “Utilities have come to rely increasingly on digital tools for monitoring and operating the Bulk-Power System. These tools have enhanced the efficiency and effectiveness of utility operations significantly.”
Because most critical infrastructure in the U.S. is privately owned, the government must often form partnerships with companies to better monitor and secure industrial control networks. DHS, in this scope, plays a critical role as the defender and support team while the Energy Department helps to drive forward research and changes to policy, standards and regulation, which can improve digital security in the larger energy community writ large.
Developing relations between the electric power industry and U.S. government come in the wake of several known and substantial cyberattacks against industrial control facilities.
Four years ago, Iranian hackers broke into the Bowman Avenue Dam near Rye Brook, New York, using sophisticated malware. The attackers were unable to fully access the dam’s IT systems though investigator believe they could have taken control of the facility’s flood gates, investigator said at the time. DHS’ Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, responded to the incident; helping mitigate damage caused by the intrusion.
“I think one of the great things here is that the federal government stepped in and stopped what could have been something bad from happening,” Rye Brook Mayor Paul Rosenberg told CNN in 2015 after news first broke that hackers were responsible for the Bowman Avenue Dam incident in his town. “We appreciate that, but it makes me wonder about what would be potentially next, and that makes me concerned.”
# # #
POLITICO's Morning Cybersecurity: Mention of John Di Stasio to Testify at Senate Cyber Security Hearing
POLITICO's Morning Cybersecurity
March 28, 2017
By Tim Starks
AND ENERGY SUBCOMMITTEE SLATED TO TALK CYBER: A Senate Energy and Natural Resources Committee subpanel convenes today to discuss S. 79, the Securing Energy Infrastructure Act, a bill Sen. Angus King floated last year that never got a vote. Per our friends at Morning Energy, the bill calls for creating a $10 million pilot program within the Energy Department's national labs to research ways to repel cyber intrusions on systems used to operate energy infrastructure. Witnesses testifying today are Mike Bardee from FERC, Large Public Power Council President John Di Stasio, Thomas Zacharia, a deputy director at Oak Ridge national lab, and Xcel Energy chief Ben Fowke. "S. 79 promotes government-industry partnership in studying evolving vulnerabilities, which may help combat cybersecurity threats," Di Stasio plans to testify, according to his draft remarks. "However, LPPC cautions against provisions that could lead to prescriptive technology solutions."
# # #
POLITICO’s Morning Energy: Mention of John Di Stasio to Testify at Senate Cyber Security Hearing
POLITICO’s Morning Energy
March 28, 2017
By Anthony Adragna
Later on: A subpanel of the Senate Energy and Natural Resources Committee is convening today to discuss S. 79, the Securing Energy Infrastructure Act, a bill Sen. Angus King also floated last year but never got a vote. The bill calls for creating a $10 million pilot program within the Energy Department's national labs focused on researching ways to repel cyberintrusions on control systems used to operate energy infrastructure. Witnesses testifying today are Mike Bardee from FERC, Large Public Power Council President John Di Stasio, Thomas Zacharia, a deputy director at Oak Ridge national lab and Xcel Energy chief Ben Fowke. The hearing starts at 2:15 p.m. in Dirksen 366.
# # #
Senate Holds Hearing on Cybersecurity Threats to US Electric Grid
March 28, 2017
View photo gallery here. (John Di Stasio is featured in photos 1, 5, 7 and 10.)
# # #
Small Generator 'Ride Through' Proposal Draws Favor from Industry Stakeholders
May 30, 2016
By Jasmin Melvin
Industry stakeholders last week appeared mostly on board with a FERC proposal that would require generators smaller than 20 MW to "ride through" and stay connected during abnormal frequency and voltage events.
Large generators already are subject to such a requirement. FERC issued a notice of proposed rulemaking (RM16-8) in March after determining that it would be "unduly discriminatory not to impose these requirements on small generating facilities" in light of the increasing penetration of distributed energy resources on the grid.
Specifically, FERC's proposal would alter the pro formainterconnection agreement for small generators to require those smaller than 20 MW signing up for new interconnection agreements to ride through abnormal frequency and voltage events, rather than disconnecting. The proposed rulemaking would also require transmission providers to coordinate protective equipment settings with automatic load shedding programs.
Industry groups, grid operators and electric reliability coordinators filed comments to FERC May 23 generally agreeing with FERC's position.
The NOPR cited North American Electric Reliability Corp. studies demonstrating the growing impact of small generating facilities on the grid. With technological developments such as smart inverters, these new small generators have the ability to ride through frequency and voltage disturbances like their larger counterparts.
But concerns were posed related to the timing of a new rule going into effect.
The Edison Electric Institute, American Public Power Association, Large Public Power Council and National Rural Electric Cooperative Association, in a joint filing to FERC, supported reforms to the pro forma small generator interconnection agreement (SGIA) but cautioned against imposing broad changes to SGIAs before companies can validate that the changes can be safely implemented into their operating practices.
The trade groups also recommended holding off on finalizing the proposed rule until industry has had an opportunity to address changes to key industry standards being floated to ensure the safe and effective disconnection from utility systems when necessary to avoid islanding conditions. New industry standards from the Institute of Electrical and Electronics Engineers have yet to be approved and in some cases are still unpublished.
"Although the trade associations recognize that some regions, such as California and PJM, had to move more quickly to address changes with respect to distribution interconnection processes in light of renewable portfolio standards, such changes are not in play in all regions of the country at this time," the trade groups said in support of slowing things down. "The commission should acknowledge the many regional differences in how small generators are interconnected."
The groups suggested that while the industry standards undergo review, FERC could convene regional technical conferences "to encourage entities to propose modifications to their individual pro forma SGIA to address their local reliability needs [and to] explore how changes made to the FERC pro forma SGIA may influence state regulations."
NERC, in its comments to the commission, eyed the NOPR as consistent with its reliability assessments.
"NERC has determined that the transforming resource mix may affect reliability of the bulk power system, unless proactive measures are taken to address the integration of greater levels of variable energy and distributed energy resources," it said.
Therefore, it supported "proposals to apply consistent frequency and voltage ride through requirements" as part of interconnection agreements.
Similarly, the ISO/RTO Council warned that "the aggregation or significant combination of small generating facilities that do not ride through transmission disturbances can lead to undesirable consequences for system operations, including causing an otherwise acceptable system post-contingency response to exhibit unacceptable low or high voltage or thermal limit exceedances."
IRC, which filed comments on behalf of the six FERC-jurisdictional independent system operators and regional transmission organizations, said the NOPR was also consistent with wholesale organized markets' tariffs, such as a requirement in ISO New England that all inverter-based generating facilities be able to ride-through voltage disturbances and a PJM Interconnection requirement that all wind units have voltage and frequency ride-through capabilities.
The council commended the proposal for allowing independent entity variations from the proposed revisions, allowing a grid operator, for example, to retain existing provisions in its SGIAs if it could prove the provisions were consistent with or superior to the pro forma agreement changes proposed by FERC.
IRC did recommend clarifying some language in the proposed pro forma agreements to explicitly ensure consistency with NERC reliability standards and any applicable regional entity standards.
Peak Reliability, the reliability coordinator for the bulk of the Western Interconnection, also supported the NOPR, asserting that it would "simplify operational conditions and reduce system load imbalances."
Peak explained that "reductions in system load imbalances may also reduce disturbances on the bulk power system." Further, it said adoption of the proposed rule would "ensure effective protections for system operation while also avoiding increased costs."
The existing pro forma SGIA was adopted in Order 2006 and amended in Order 792. The new requirements would apply to newly interconnecting facilities subject to FERC jurisdiction.
# # #
May 10, 2016
By Stan Parker
Public power utility groups rallied behind an Arizona power district Monday, urging the Ninth Circuit to reverse a district court ruling and toss antitrust claims brought by SolarCity Corp.
The American Public Power Association and the Large Public Power Council told the appeals court in an amicus brief that the Salt River Project Agricultural Improvement and Power District should be immune from the solar developer’s suit claiming Salt River illegally imposed certain charges for utility customers who install rooftop Solar.
The APPA, which consists of more than 2,000 public power utilities, and the LPPC, which represents the 26 largest U.S. public utilities, told the court they have an interest in making sure that state-action immunity protects their ability to set rates.
“Specifically, they have an interest in preserving the ability of states to adopt and implement statutory ratemaking regimes, free from the distorting burdens that are often imposed by antitrust litigation,” they wrote.
The utilities said SolarCity’s antitrust suit was the wrong way to resolve the “difficult problems” of how to fairly allocate costs among customers. They argued that accommodating rooftop solar is an expensive endeavor and that subsidizing it can shift the burden onto the rest of the customer base.
The groups argued those pricing decisions are "difficult enough" and already subject to regulatory oversight.
“But if a stakeholder whose interest in the continuation of a subsidy can bypass the state’s administrative and judicial review processes and claim that a loss or decline in that subsidy is fair game for a federal antitrust suit, it will add dramatically to that difficulty,” they wrote.
Their arguments to protect state-action immunity echoed Salt River’s own arguments in its opening brief to the Ninth Circuit last week Tuesday, when it told the panel it was acting within the authority delegated to it by the Arizona legislature.
The appeal comes after U.S. District Judge Douglas L. Rayes pared down SolarCity’s suit against Salt River, but still allowed it to proceed with core monopolization claims.
SolarCity filed the complaint in March 2015, alleging that Salt River Project’s newly adopted “standard electric price plans” amounted to a 65 percent rate increase for solar customers and would “penalize” a typical solar customer by about $600 per year.
Those new price plans were a sudden shift for Salt River Project, which for years had offered incentives to customers to use solar, according to the complaint.
American Public Power Association and the Large Public Power Council are represented by John M. Baker, Bethany D. Krueger, Janine W. Kimble and Chris L. Schmitter of Greene Espel PLLP
SolarCity is represented by William A. Isaacson, Karen L. Dunn, Steven C. Holtzman, John F. Cove Jr., Kieran P. Ringgenberg and Sean P. Rodriguez of Boies Schiller & Flexner LLP and Roopali H. Desai of Coppersmith Brockelman PLC.
Salt River Project is represented by Molly Boast, Christopher Babbitt, Daniel S. Volchok, David Gringer, Thomas G. Sprankling and Christopher Casamassima of WilmerHale and Paul K. Charlton and Karl M. Tilleman of Steptoe & Johnson LLP.
The case is SolarCity Corp. v. Salt River Project Agricultural Improvement and Power District, case number 15-17302, in the U.S. Court of Appeals for the Ninth Circuit.
—Additional reporting by Jeff Zalesin, Adam Sege, Matthew Bultman, Bonnie Eslinger and Vin Gurrieri. Editing by Patricia K. Cole.
# # #
Platts: FERC Grants Extension on Critical Infrastructure Protection Standards Over Objection of NERC
FERC Grants Extension on Critical Infrastructure Protection Standards Over Objection of NERC
March 7, 2016
By Mark Watson
Electric industry trade associations and independent system operators have won a three-month delay in the implementation of North American Electric Reliability Corp.'s fifth iteration of critical infrastructure protection standards.
On February 25, FERC approved the February 4 request by the Edison Electric Institute, American Public Power Association, Electric Consumers Resources Council, Electric Power Supply Association, Large Public Power Council, National Rural Electric Cooperative Association and the Transmission Access Policy Study Group, collectively known as the "Trade Associations," to defer the implementation of the critical infrastructure protection version 5 reliability standards from April 1 to July 1 to align with the effective date for another set of standards approved in Order 822.
"We are persuaded that the separate implementation dates in short succession create unnecessary administrative burdens with little or no commensurate benefit to reliability," the order states. "Therefore, we grant Trade Associations' request for an extension of time for compliance with the CIP Version 5 Reliability Standards."
The April 1 deadline had applied to taking certain steps to identify and protect cyber systems classified as having a high or medium impact on grid reliability.
However, NERC had asserted in a February 8 filing that no delay was necessary, as "NERC can adequately address the Trade Associations' concerns without delaying the implementation," because NERC was committed not to enforce the single rule modification that required different processes during the period from April through July 1.
In a February 12 response, the trade associations said Order 822 affects seven different standards "in this complex transition."
On that same date, California Independent System Operator, Electric Reliability Council of Texas, Midcontinent Independent System Operator, PJM Interconnection and the Southwest Power Pool, known as the "Joint Commenters," filed comments in support of the trade associations' position.
"While the Joint Commenters are very appreciative of NERC’s recommendations regarding deference on enforcement of certain language, the Joint Commenters respectfully suggest that the requested extension provides the most clarity and direction for the affected parties," the ISOs said.
Ultimately, FERC was persuaded by the Trade Associations' arguments for delayed implementation.
# # #