View recent news coverage highlighting interviews and quotes from LPPC.
Inside Cybersecurity: Electric Sector Info-Sharing Initiative Aims To Refine Cyber Threat Analysis
February 2, 2018
By Joshua Higgins
A new partnership and “cyber grid pilot program” between the Large Public Power Council and the electric sector’s Information Sharing and Analysis Center will help refine the quality and use of cyber threat information, according to electric sector representatives.
The LPPC and E-ISAC -- which is managed by the North American Electric Reliability Corporation -- last week launched a pilot program on cyber threat information sharing, “in an effort to build competency and preparedness within the public power sector, and to encourage more engagement and information sharing between government and industry,” according to electric sector sources.
Michael Fish, senior director of enterprise cybersecurity at the Salt River Project, one of the public power entities participating in the program, told Inside Cybersecurity that the pilot will help the E-ISAC collect details on how cyber threat information is used across the electric sector in order to make improvements to info-sharing processes and make data more actionable to grid operators.
Read the full article to learn how this new initiative will help increase public-private trust and collaboration on sharing cyber threats.
January 17, 2018
By John Di Stasio and Jonathan Schneider
With its order on January 8, 2018, the Federal Energy Regulatory Commission quieted the firestorm sparked by the Notice of Proposed Rulemaking initiated by the Department of Energy in Docket No. RM18-1. We believe that FERC got it exactly right. The Commissioners were right in concluding that the NOPR presumed a remedy for a problem that had yet to be fully defined, and right to terminate the NOPR, given the time frame imposed by DOE.
The DOE NOPR attempted to address a complex and only vaguely-defined challenge by promoting a narrow set of resources. There is, we believe, a legitimate concern regarding grid resilience in the face of the nation’s changing generation resource mix. But there are many potential measures that would enhance resilience, and FERC was right to focus first on defining the issue on a regional basis, and only then to move toward solutions.
FERC’s approach reflects the position taken by the Large Public Power Council (LPPC) in comments we filed with FERC on the NOPR. We were heartened by the Commission’s consensus in the matter.
LPPC comprises twenty-six of the nation’s largest municipal electric utilities committed to achieving the optimal balance of reliability, affordability and environmental stewardship. LPPC members operate in thirteen states and all regions of the country other than the upper-Midwest. They focus on regional or local solutions with a full appreciation of fuel and resource availability, and local governance preferences regarding economic development and the environment, and strongly support the regional approach taken in FERC’s approach.
What’s Next at FERC?
Without presuming a remedy, FERC directed RTOs/ISOs within sixty days to address a series of questions, with these aims: (1) to develop a common understanding among the Commission, industry, and others of what resilience of the bulk power system means and requires; (2) to understand how each RTO and ISO assesses resilience in its geographic footprint; and (3) to use this information to evaluate whether additional Commission action regarding resilience is appropriate at this time. This is all for the good.
Helping focus the coming discussion, FERC appropriately took the further step of offering a broad definition of resilience, following the lead of the National Infrastructure Advisory Council: “The ability to withstand and reduce the magnitude and/or duration of disruptive events, which includes the capability to anticipate, absorb, adapt to, and/or rapidly recover from such an event.” FERC invites initial comments on this proposal from the RTOs/ISOs, and responsive comments from interested parties.
This broad definition makes sense. But it also leaves room for debate on a variety of important topics, including the nature and magnitude of the risks against which the grid can reasonably guard and from which plans can be made to recover; the criteria against which resilience of the grid can be measured; and the list of system and resource attributes useful in contributing to a more resilient grid.
From a national perspective, it’s fair to say that the nation’s changing generation mix poses a challenge with respect to the provision of essential reliability services. And while FERC was right in concluding the problem is not imminent, the statistics show that it’s not insignificant either. This was pretty clearly established by NERC’s May 2017 Reliability Assessment and the DOE Staff Report of August 2017, upon which the DOE NOPR relied, making the point that the retirements of large centrally-located facilities pose a challenge to the grid.
But the NERC and DOE studies also make it clear that the situation is very different in different parts of the nation. These substantially different circumstances reflect, among other things: varied generation portfolios around the nation, including substantial difference in the prevalence of intermittent resources; differences in the availability of transmission, firm natural gas transportation and fuel resource options; and varied projections of the availability of fuel-secure generating stations.
For all of these reasons, FERC’s regional focus is appropriate. The focus is also consistent with the experience of LPPC’s varied membership, operating in some states with an abundance of hydro-electric or renewable resources, and some with an abundance of coal or natural gas. These fuel and resource realities drive investment, portfolio designs and ultimately, the aforementioned balance. Likewise, resilience is a regional matter, since the risks from varied weather conditions, infrastructure, supply flexibility and geography all contribute to very different options to address resilience.
The upcoming discussion will no doubt include a debate over the appropriate roles exercised by FERC, state and municipal authorities, and NERC. As to FERC, while there may be an academic question regarding the scope of its authority, it seems pretty clear as a practical matter that the Commission must consider the implications for grid resilience of its rate and regulatory decisions. The Federal Power Act calls for FERC to ensure that transmission and wholesale sales rates are just and reasonable, and while the scope of FERC’s authority to regulate practices affecting such rates is not unlimited, the direct effect that economic regulation has on the reliability and resilience of the grid seems pretty well within FERC’s wheelhouse.
That said, state and municipal authorities also have an important role to play. FERC does not have authority over generation siting, and states that have not unbundled generation, or moved to retail access, maintain authority over generation resource adequacy. Even where FERC’s authority is clearest (unbundled states), it is appropriate and wise for FERC to defer to state and locally-based resource choices, as we discuss below. State-based Renewable Portfolio Standards, and other incentives offered to certain generating resources, though under attack in certain quarters, also reflect legitimate state and local choices to which FERC should defer as it reviews individual RTO/ISO responses to the inquiries framed in the new docket.
The Commission has a history of working hand-in-hand with state and municipal authorities when the jurisdictional line cannot be so clearly drawn, and we believe its decision-making is most durable when it does so. The approach taken in Order No. 1000 is very much on point. There, the Commission recognized that transmission planning subject to its oversight must reflect state and local policy choices regarding the nature and location of generating resources.
What role NERC should play in all of this is a little less clear. The Commission notes that most commenters on the NOPR distinguished between reliability and resilience. Under section 215 of the Federal Power Act, NERC’s authority extends only to the former. NERC may have a role here, but we urge both NERC and FERC to proceed carefully. Mandatory standards in this area can become quite expensive very quickly, especially without a consensus regarding resilience metrics.
What Should FERC Do?
Based on DOE Staff’s and NERC’s 2017 Assessments reflecting medium to long-term resource issues that should be addressed, it’s safe to assume that FERC’s inquiry will not soon be at an end. In the coming discussion, we hope FERC will be open to suggestions for restructuring capacity markets (remuneration for fixed cost investment in generation) with an eye to ensuring: (1) that they elicit needed investment; and (2) that they provide room for state and local governments to accomplish legitimate policy objectives.
Over the past several years, FERC has been criticized (and as recently as the December 2017 General Accounting Office Report on Electricity Markets), for sending money to the generation sector without being sure that it elicited needed investment. In regions where states have had utilities divest generation and moved to a retail access environment, we don’t doubt that finding a way to assure fixed cost recovery and secure new investment in generation is important.
But the efficacy of existing capacity markets is not clear. Shorter-term (one to three-year) capacity markets may provide an additional revenue source for existing generators, but they appear not to drive new investment decisions, nor investment in infrastructure (long-term firm pipeline transportation capacity for natural gas supplies comes to mind). And to the extent these markets exclude capacity that is self-supplied and funded, a valuable source of long-term investment is discouraged.
Where regional analyses show legitimate concern regarding the adequacy of resources needed to support grid resilience, it will benefit FERC and the industry to be specific regarding the resilience attributes that are in short supply, and to develop pricing mechanisms (markets or sub-markets) geared to eliciting the generation-related resilience attributes. In comments on the DOE NOPR, EPRI provided a useful, if broadly framed, template for how this might work. EPRI identified these broad components of resilience: resilience – adequacy, resilience – operating reliability, and resilience – recovery.
As to each of these components, EPRI suggests the development of supply resilience metrics reflecting desired performance characteristics. Where it is determined that specific resilience attributes are not being met or adequately incentivized, new market or cost-based mechanisms may be considered.
As the Commission sifts through these available tools, we strongly urge it to provide room for state-supported resource choices and incentives that it can build upon, rather than curtail, as some have advocated. In an environment in which the federal government has substantially backed away from environmental regulation, and certainly any form of carbon control, the importance of state-supported resources looms particularly large for many states. There is no good reason to shut these programs down.
The authority over generating resources is clearly a shared responsibility. While FERC’s authority over wholesale markets is clear, it lacks any authority over generation siting, and it has no role in the development of legitimate state-based policy choices that drive many investment decisions.
DOE reports that twenty-nine states have adopted Renewable Portfolio Standards, and a number of regions have adopted carbon control and trading measures, as part of which the provision of renewable energy credits and zero emission credits, such as those adopted in New York and Illinois.
In adopting these policies, state policymakers are responding to the interests of their electorate and, in many cases, furthering other state objectives regarding economic development or the environment. LPPC has supported local and regional autonomy on resource decisions on the basis that resource mandates and incentives often create economic distortion and undermine the benefits of a well-constructed resource portfolio. There is nonetheless clearly a role for the federal government to support emerging technologies though research and development work helping to commercialize new and promising technologies.
To date, state-based programs have withstood legal challenges, rested on the arguments that federal law – the Federal Power Act – and the United States Constitution call for preemption and invalidation.
See, for example, Allco Finance Ltd. v. Klee, 861 F.3d 82, 2nd Cir. 2017, upholding Connecticut’s RPS; Coalition for Competitive Electricity, et al. v. Zibelman, 2017 WL 3172866, S.D.N.Y. 2017, upholding New York’s ZEC; and Coalition for Competitive Electricity, et al. v. Zibelman, 2017 WL 3172866, S.D.N.Y. 2017, upholding Illinois’ ZEC program.
Nonetheless, challenges are being advanced at FERC asking the Commission to act affirmatively to offset the impact of any state-based support for specific generating resources. We urge FERC to reject these challenges, except in cases where state-based programs are expressly designed to alter wholesale market prices.
This distinction is supported by the Supreme Court’s recent decision in Hughes v. Talen Energy Marketing, 136 S.Ct. 1288 (2016). There, the Court invalidated a state-based program “tethered” to generation participation in the FERC regulated wholesale market, and designed to drive prices down. But the Court specifically stated that it was not acting to invalidate other measures states “might employ to encourage development of new or clean generation, including tax incentives, land grants, direct subsidies and construction of state-owned generation facilities.” This approach is consistent with cooperative federalism and need not conflict with FERC’s oversight of wholesale markets.
FERC’s unanimous approach to the DOE NOPR builds upon a history of bipartisan decision-making. This is an excellent precedent for the newly-formed Commission. There are clearly challenges ahead, but we believe the Commission will be well-guided by shouldering its responsibility to ensure that markets support a resilient and reliable grid, while accommodating state-based policy and regional differences and other markets that exist outside of their full authority.
The diversity of the national electric sector is a source of strength, since it provides competitive benchmarks that would be lost in a one-size-fits-all market structure. It also reduces reliability risks as a result of regional infrastructure, fuel and connectivity differences.
We look forward to participating in this important conversation going forward and commend FERC for creating a forum for careful consideration of the input to be provided by market operators and the industry as a whole. Any resulting actions can only benefit from a thorough investigation and understanding of the problem.
November 9, 2017
By Timothy J. Burke, Paul McElroy, Arlen Orchard, Phil Wilson
There is a reason it has been over 30 years since Congress last reformed the federal tax code; tax reform is complicated and its outcome touches every American. Congress is currently undertaking this monumental task to reduce tax rates, simplify the tax code, and create a fairer system.
We applaud House Ways and Means Committee Chairman Kevin Brady (R-Texas) for introducing legislation that would preserve the current law treatment of tax-exempt municipal bonds – a provision that has stood the test of time for over 100 years and has significant ramifications for public power.
However, more work needs to be done. We are very disappointed about the decision to eliminate advance refunding for tax-exempt bonds for the public power sector and other state and local governments. Doing so would increase costs for customers and disrupt the industry’s flexibility regarding long-term financing.
The tax-exempt bond market has financed trillions of dollars of investment in vital public infrastructure like schools, hospitals, roads, and energy infrastructure, and has saved taxpayers hundreds of billions of dollars in interest costs. Efforts to reduce tax exemption on municipal bonds would adversely impact public power and the millions of customers we serve nationwide. This is particularly significant for members of the Large Public Power Council (LPPC), which represents the 26 largest not-for-profit, consumer-owned utilities in the United States.
Public power systems have limited means to raise funds for our communities’ capital needs. Our primary means to raise capital is the issuance of tax-exempt bonds, which carry lower interest rates that reduce the cost of building our country’s public power infrastructure. They are our single most important financing tool. Each year, on average, public power utilities make $15 billion in new investments financed with municipal bonds. LPPC’s 26 members alone expect to issue $14 billion in tax-exempt municipal bonds over the next five years to ensure reliability and modernize the electric grid.
Municipal bonds are used to finance investments in power generation (including through natural gas, renewable and alternative fuels), transmission, distribution, reliability, demand control, efficiency, and emissions controls. While the typical power-related bond issue is relatively small, electric generation and transmission projects often cost hundreds of millions or even billions of dollars and can have up to a 50-year operational life. For example, in Nebraska, the R-Project (a $365 million, 225-mile-long 345kV transmission line) will improve the reliability of the transmission grid in the central United States.
Because of the length of these bonds, the industry relies on advance refunding as an important tool to enable communities to lower their borrowing costs when market conditions warrant and keep electric rates low as a result. Restricting advance refunding would significantly limit the flexibility of municipal bond issuers. As a result, issuers would be required to pay a higher interest rate on their debt and would be unable to take advantage of lower interest rates. Higher interest rates would lead to higher costs for our customers.
We urge Chairman Brady to reconsider his decision to repeal advance refunding of municipal bonds. Just like homeowners who refinance their 30-year mortgages, public power utilities use advance refunding to secure better interest rates to keep costs in check.
Another point worth clarifying about tax-exempt bonds is that the burden of taxing municipal bonds is borne by states, local governments and public power systems – not high-income investors. Limiting the exclusion of state and local bonds would not address the fairness issue despite arguments that doing so would limit the tax benefit for rich Americans. Instead it would mean a reduction in infrastructure investments and a price increase for public power customers – such as small business owners and low- and fixed-income households.
According to the American Public Power Association, a $250 million power plant would cost $80 million more to finance if tax-exempt bonds were repealed; $40 million more if the tax exemption were “capped”; and $30 million more if municipal bonds were replaced with direct payment bonds.
In the coming decades, public power will require significant capital to meet customer and load growth needs. Replacing retiring generation, meeting cyber security needs, integrating new renewables, and modernizing the electric grid to meet changing demands will require new infrastructure investment to ensure service reliability. We know from experience that lower borrowing costs for bond-financed projects allow for greater investments, reduce rates for residents, help create jobs, and spur innovation and economic growth. Tax-exempt financing works, and advance refunding is a necessary provision to improve long-term financing while keeping costs down. We hope Congress will take note.
Timothy J. Burke is the CEO of Omaha Public Power District (OPPD); Paul McElroy is the CEO and Managing Director of JEA; Arlen Orchard is the CEO and General Manager of SMUD; and Phil Wilson is the General Manager of Lower Colorado River Authority (LCRA). These utilities are significant public power utilities who rely upon municipal bonds to finance public purpose energy infrastructure. They also represent the geographic diversity of LPPC’s membership.
# # #
October 31, 2017
By Andrew Cohen
John Di Stasio, president of the Large Public Power Council, discusses some of the major issues impacting publicly run electrical utilities including renewable energy, protecting grids against security threats and challenges financing infrastructure improvements. Hosted by Andrew Coen.
October 22, 2017
By Rich Heidorn Jr.
WASHINGTON — Panelists at the Energy Bar Association’s Mid-Year Energy Forum last week heard two very different views of the health of wholesale markets.
Pacific Power CEO Stefan Bird was effusive in his praise of the Western Energy Imbalance Market (EIM), which saved parent company PacifiCorp almost $9 million in the second quarter of 2017. But Dynegy CEO Robert Flexon complained that CAISO and NYISO had become increasingly inhospitable to merchant generators because of state policies favoring renewables and nuclear generation, respectively.
“For us, the markets are [in an] incredibly fragile situation. California is a disaster. There isn’t any competitive power company out there who wants to put a nickel into California,” he said.
Flexon also bemoaned MISO Zone 4 in Southern Illinois, where he said competitive units face unfair competition from rate-based generation. The state also has approved zero-emission credits for nuclear plants, leading to fears in PJM — whose footprint includes Northern Illinois — that such subsidies will be contagious.
“PJM is doing everything they can to try to keep their market together. They’re very proactive,” Flexon said. “They’re trying to fix price formation and the like. [Having] half our megawatts in PJM, I feel good about that.” (See related story, PJM: Energy Price Formation Addresses DOE NOPR.)
Bird said his company’s experience with the EIM has been an unquestioned success.
Moderator Christopher R. Jones, a partner with Troutman Sanders, had set off the discussion by asking Bird if the markets are “healthy.”
“Are they enabling what our customers want? Are they enabling [a] low-cost, affordable, reliable future? I think the answer is resoundingly ‘yes,’” said Bird, whose company has 740,000 customers in Oregon, Washington and California.
“We’ve really had unprecedented opportunities to move that dial on a very accelerated pace and lower costs as well as reduce emissions.”
He said the EIM’s economic dispatch and its ability to move renewable power to load centers enabled PacifiCorp to announce in June a $3.5 billion investment in renewables and transmission in Wyoming, Utah and Idaho “at very little to no costs for our customers and savings over the long term.” (See PacifiCorp IRP Sees More Renewables, Less Coal.)
John DiStasio, president of the Large Public Power Council, said his members don’t have a single view of the market. His organization, which represents the 26 largest members of American Public Power Association, has members in NYISO, SPP and ERCOT.
“Those members that view that there’s economic benefits for them are participating in markets, and those who don’t see that don’t [participate],” DiStasio said.
He said RTOs have gone through “identity crises.”
“When we started up with CAISO, it was really a traditional RTO. And at some point, state policy started to drive how they looked at supporting environmental policy as well. There’s been hit and miss on how that’s been priced. There’s been hit and miss on how you get the right incentives for capacity in some of the markets.” DiStasio said California’s dominance of CAISO has been a barrier to greater market expansion in the West.
“Having said that … moving energy over wider regions I think is going to have a certain inevitability to it where we’ll have more and more people operating in markets — even if it’s just at the EIM level.
“From a Western perspective, I was appreciative that FERC didn’t try to push the Energy Imbalance Market. Actually, it would have fallen apart had that happened given the history of the [2000-2001] energy crisis, the [1980 Pacific Northwest Electric Power Planning and Conservation Act], given what happened in the Northwest during the energy crisis. I think FERC trying to assert more control at that time actually would have had a negative effect. Now, the market dynamics seem to have emerged organically enough that you have people that are voluntarily creating critical mass.
“I think this is really going to be a delicate balance going forward with how much does FERC push on state policy, and I think they may have to rethink the whole paradigm at some point. Because it is a clearly a hybrid and we’re kind of stuck … in no man’s land.”
When the discussion turned to Energy Secretary Rick Perry’s call for price supports for coal and nuclear plants, Flexon also called for FERC action.
“FERC has been missing while all the mischief has been happening,” he said, referring to the agency’s six months without a quorum. “They need to get back in the game and protect the markets they created.”
Energy Company CEOs Criticize Grid Resiliency Proposal
October 16, 2017
By Rebecca Kern
The Energy Department's proposal aimed at propping up coal and nuclear plants in certain wholesale energy markets is “an answer is search of a question,” John Di Stasio, president of the Large Public Power Council, said, joining a broad array of opposition.
“I have concerns about it,” Di Stasio, who oversees an organization that represents 26 of the country's largest public power producers, said at the Oct. 16 Energy Bar Association's Mid-Year Energy Forum in Washington. He was one of a panel of three CEOs at the meeting, all of whom criticized the rule. It already has drawn criticism from renewables, oil and natural gas groups, as well as conservative free-market think tanks, consumer advocacy groups and environmental organizations.
[Subscription based publication]
# # #
RTO Insider: Steven Wright, GM of Chelan County PUD, Speaks On Behalf Of LPPC At FERC Tech Conference On Reliability Standards
June 26, 2017
By Michael Brooks
WASHINGTON — A decade of mandatory standards has improved the grid’s reliability, but it’s time for regulators to prune unnecessary rules, speakers told FERC on Thursday.
At its annual technical conference on reliability, the commission delved into the weeds on compliance enforcement, gas-electric coordination and cybersecurity (AD17-8).
NERC received accolades from many who spoke at the conference for its continual improvement of the grid’s reliability; its transparency and coordination with other stakeholders; and its Reliability Assurance Initiative, a risk-based approach to compliance enforcement approved in 2015 that allows facilities to self-log minor violations — and NERC to focus on the most serious issues. The initiative also included the creation of Inherent Risk Assessment (IRA) profiles for facilities, which help NERC decide what standards to focus on.
FERC’s conference came days after the 10th anniversary of the first mandatory reliability standards under FERC Order 693 and a week after NERC released its State of Reliability report, from which CEO Gerry Cauley recounted some key statistics in his opening remarks. (See NERC: Despite Solid 2016, Grid Threats Remain.)
“Bulk Power System reliability remains very high and continues to show year-over-year improvement,” Cauley said. “Industry has been very responsive to our risk-based approach and has been shifting resources to fix the most critical challenges to reliability. … These standards have had a major impact on reducing risk. Over time, we’ve seen a dramatic decline in the number and severity of compliance violations.”
But Cauley and many other panelists said it was time for another “Paragraph 81” process, referring to a provision in the commission’s March 2012 approval of NERC’s Find, Fix, Track and Report process that directed the organization to identify requirements that do little to protect reliability and could be removed. FERC ended up approving the retirement of 34 such requirements (RC11-6, et al.).
“It may be time to focus again on streamlining the requirements to ensure the investment in compliance is commensurate with the reliability gains,” Cauley said.
Speaking on behalf of the Large Public Power Council, Steven Wright, general manager of the Chelan Public Utility District in Washington state, wanted to go a step further. The risk-based approach hasn’t reduced Chelan’s documentation requirements: Of the 1,236 requirements and sub-requirements applicable to the utility, only four qualify for self-logging, Wright said.
He suggested that entities be granted waivers from certain standards if the IRA indicates their implementation of them doesn’t affect the grid.
Cauley disagreed with that idea, calling it an “optional menu.” NERC’s Regional Entities “legally have the discretion today to monitor and enforce whichever standards we feel suit an individual entity. And that’s really the purpose of the Inherent Risk Assessment. … I think the regions could do a better job of explaining that and explaining what could be looked at.
“But I don’t think it makes sense to take a North American set of standards and create sort of a little checklist matrix for each entity. The standards are the standards.”
Wright also suggested that there be more incentives for entities’ standard compliance, which Commissioner Colette Honorable pushed back on.
“I have a 16-year-old daughter, and she gets good grades. But I think she could get better grades,” she said. “So do I reward her for … getting the grades she should be getting anyway?”
Wright did not directly respond to the question of carrot vs. stick, but he made clear he felt LPPC’s members haven’t gotten enough “bang for our buck.”
“We are spending a lot of money” on IRAs and Internal Controls Evaluation, another RAI component, he said. “And I think it’s a good thing because we’re improving reliability, but if we can find efficiencies we should get them.”
‘Special Assessment’ on Gas Dependence
Acting FERC Chair Cheryl LaFleur asked what the commission or NERC should be doing to account for the increasing reliance on natural gas pipelines for baseload power. She pointed out that FERC has no jurisdiction over the reliability of natural gas pipelines (which belongs to the Transportation Department’s Pipeline and Hazardous Materials Safety Administration), but it does have jurisdiction over those who burn the gas.
“Should we be changing our planning standards in some way to take that potential loss of the pipeline into account or the gas storage” site? she asked. “Aliso Canyon brings that into the front of the discussion.”
Cauley responded that NERC is working on a special assessment report on the issue. The organization has been analyzing key pipelines and storage facilities and the potential impact of losing them on the grid.
“It will be clear from this report, I believe, that you should be planning for the loss of a most critical, most impactful facility, including if it’s on a gas system,” he said. “I am concerned that you have certain reliability standards and expectations on an electric system and what I consider a foundational piece — the fuel deliverability piece — doesn’t have an equivalent.”
Patricia Hoffman, acting assistant secretary of the Energy Department’s Office of Electric Delivery and Energy Reliability, suggested that grid operators do assessments to determine how dependent regions are on one fuel source.
The threat of cyberattacks took up a sizeable portion of the daylong conference.
NERC Chief Security Officer Marcus Sachs revealed that the organization had only learned about the most serious threat to date — malware known as CrashOverride — days before it was made public by two cybersecurity firms earlier this month. The program, which can control circuit breakers via supervisory control and data acquisition (SCADA) systems, was used last December to briefly cut power to about one-fifth of Kiev, Ukraine. (See Experts ID New Cyber Threat to SCADA Systems.)
Sachs recounted that NERC learned of CrashOverride on the afternoon of Friday, June 9. ESET, a Slovakian antivirus software provider, had contacted Maryland-based Dragos, asking it to review its findings before it publicized them on Monday. Dragos then contacted NERC, which worked over the weekend reviewing ESET’s work and producing a report. Dragos also produced its own report over the weekend.
“If we didn’t have those public-private partnerships already existing, we would have failed that weekend, and you would have had a huge media splash on Monday morning that none of us would have been ready for,” Sachs said.
Many experts believe hackers based in Russia are behind the attacks on Ukraine, which Sachs said has been under “relentless assault” for the past couple years: Banking, railroads and Internet service providers have all experienced disruptions.
But while everything points to Russia, it is also possible individuals posing as Russians are behind the attacks, Sachs said.
Speaking to RTO Insider, Sachs pointed to the Solar Sunrise incident in 1998, in which two teenagers from California attacked Defense Department systems and led the military to believe they were from Iraq. “Just because it looks like a duck, smells like a duck, quacks like a duck — it may be a moose,” he said.
There was considerable discussion about understaffing at the entities responsible for protecting against cyber threats. Many agreed that the supply of qualified cybersecurity workers is too small to meet the very high demand.
“At the state level, we’re generally not staffed for this type of thing,” New Hampshire Public Utilities Commissioner Robert Scott said. “We don’t have the expertise.”
“The electric utility, 30 years ago, was the place to go to out of college,” said Greg Ford, CEO of Georgia System Operations, a cooperative that provides power to half the households in the state. “Today it’s harder and harder to lure those college students.”
“It’s easier to find individuals who are familiar with cybersecurity when it comes to traditional [information technology] and Windows-based infrastructure,” said David Ball, director of AEP Transmission Dispatching. “The more difficult skill set to find today is … a power-based background” and familiarity with SCADA.
“People with these type of skills are very marketable and they’re very mobile,” Scott agreed. “At the state level, we can’t hope to attract those type of people.”
Sachs pointed out, however, that middle and high schools are increasingly sponsoring competitive cybersecurity exercises and students are competing in “hack-a-thons.”
“This is good news,” he said. “And it’s something we need to leverage. … Getting into cybersecurity is absolutely what we want these young kids to do.”
“All I can say to that is ‘Amen,’” Honorable replied.
May 24, 2017
SEEN AROUND TOWN: At the Hall of States for the Large Public Power Council's 30th Anniversary reception Monday: Sen. Cory Gardner (R-Colo.); acting FERC Chairman Cheryl LaFleur; former Sen. Mary Landrieu (D-La.); former Rep. Norm Dicks (D-Wash.); Tom Kuhn, president of Edison Electric Institute; Sue Kelly; president and CEO of the American Public Power Association; and John Di Stasio, president of the LPPC (h/t POLITICO Influence).
# # #
May 23, 2017
Pointing this out: Pruitt tweeted that he addressed the Large Public Power Council about his plan to bring "energy independence" to the country. It's a frequent talking point for Pruitt, but not one that's part of the agency's historical mission. According to its own website, EPA's purpose is to protect human health and the environment. Pruitt also dropped by the Congressional Coal Caucus meeting Monday where he again talked about energy independence. Another pic.
# # #
May 22, 2017
HITTING THE TOWN: Twenty CEOs from the Large Public Power Council, which represents the 26 largest consumer-owned utilities in the U.S. are in town today and tomorrow for meetings with administration officials and lawmakers on tax reform, infrastructure and cybersecurity. The group also celebrates its 30th anniversary with a reception tonight.
# # #
April 6, 2017
By John Di Stasio
For more than a decade, electric utilities, the U.S. government and other organizations have been building a robust and multi-faceted defense against cyberattacks that would disrupt the operations of the U.S. electric grid. At the same time, the cyber threat has evolved, the number of attacks has increased and the nature of attacks has advanced. The security that we’ve gained isn’t fail-safe against new and emerging threats. The risks and challenges posed by this type of dynamic risk require a defense in depth that includes a focus on prevention, resiliency and recovery.
The capabilities of the electric utility industry in each of these areas have grown significantly over the past decade, increasing our knowledge of the threat environment, known threat vectors, and best practices aimed at building a mature and flexible security posture. As Congress and the Trump administration explore technology advancements to minimize cybersecurity threats, it’s important to consider how we got here.
As far back as 1999, the realities of an increasingly digital world, and the related risks, became a national focus. There was a comprehensive national effort to prepare for “Y2K” and potential disruptions to digital systems as we entered a new millennium. In 2005, through the Energy Policy Act, Congress approved the process for mandatory, enforceable reliability standards for the bulk power system. In 2007, Idaho National Laboratory’s “Aurora” experiment suggested that control systems for generating stations might be hacked and manipulated. In December 2015, a cyber attack on the Ukrainian grid underscored concerns over the grid’s vulnerability.
Fortunately, in each case, we increased our knowledge and evolved our defenses through collaboration, standards, exercises, information sharing and best practices designed to harden the defenses of the electric grid. We had the benefit of developing these capabilities without the consequences of an actual event disrupting our national grid.
The electric industry has always held reliability of service as its highest priority, and we are approaching the deterrence of the threats of tomorrow with the same focus and rigor as we have in defending against past and current threats.
We have implemented the nation’s only mandatory suite of cyber security standards, the Critical Infrastructure Protection standards, promulgated by the Federal Energy Regulatory Commission, and the North American Electric Reliability Corporation (NERC). We have increased our situational awareness through expanded coordination with the Electricity Information and Analysis Center and the Industrial Control Systems Cyber Emergency Response Team. We have also expanded our partnership with government through participation in the Electric Sub-Sector Coordinating Council and the Department of Energy’s Office of Energy Delivery and Reliability.
The ESCC has recently established a Cyber Mutual Assistance program to allow for timely support in the face of a cyber attack to any member utility or group of utilities. This model has long been in place to address extreme weather outages so we have a long history of practicing mutual aid. We also share best practices through our national associations to raise the individual and collective cyber-readiness of the industry.
After more than a decade of public and private sector collaboration and engagement, the foundation and framework is in place for a multi-faceted defense in depth. But we know we cannot stand still.
There is much yet to be done to anticipate new cyber threats and to continue to build our security capacity and capability. We welcome the opportunity to work with policymakers and regulators as they grapple with this national security risk, but we continue to believe that the flexible, risk-based framework we’ve built together gives us the chance to evolve our mitigation as the risks evolve.
An earlier version of this op-ed incorrectly stated NERC’s full name.
John Di Stasio is president of the of the Large Public Power Council and formerly served as the CEO of the Sacramento Municipal Utility District.
# # #
March 29, 2017
By Blake Sobczak
Senators of all political stripes voiced support yesterday for exploring new strategies to thwart cyberattacks on the U.S. power grid, including a plan for keeping the lights on without relying on the internet.
Sen. Angus King (I-Maine) urged electricity sector experts to consider whether "back-to-the-future answers" — such as manual backup operations at critical points in the power grid — "might protect us from the kind of attack that we know is coming.
"This qualifies as an emergency, and I hope we can act promptly," King said at a Senate Energy and Natural Resources Subcommittee on Energy hearing yesterday, as he called for a $10 million, two-year grid cybersecurity study (E&E Daily, March 27).
King's bill, S. 79, the "Securing Energy Infrastructure Act," was largely welcomed by witnesses at the hearing. But experts warned against letting strong cyberdefenses come at the expense of other hard-won innovations.
"A broad-scale reversion to pre-digital technology is uneconomic, unjustified and perhaps even impossible," said Michael Bardee, director of the Office of Electric Reliability at the Federal Energy Regulatory Commission, in prepared testimony.
"But I do not see S. 79 as proposing such action," he added, noting that the legislation "could potentially aid the utility industry, FERC and others to maintain a secure electric grid" by setting up an interagency working group to examine the problem.
Bardee suggested King add FERC to the proposed list of members on the working group, which now includes the departments of Defense, Energy and Homeland Security; intelligence community; and the North American Electric Reliability Corp., the nonprofit grid overseer.
The bill was first introduced last summer in response to a series of eye-opening cyberattacks on Ukraine's power grid. In December 2015, hackers used stolen usernames and passwords to break into three Ukrainian utilities' operating networks and cut off power to about a quarter of a million people. The victim companies were able to restore electricity only after reverting to "manual mode" — dispatching employees to flip switches at remote facilities.
A year later, hackers struck again at another Ukrainian power company, temporarily severing electricity at a transmission-level substation (Energywire, Jan. 11).
"If we aren't prepared for cyberattacks, a Ukraine-like situation could take place in the U.S.," said Energy Subcommittee Chairman Cory Gardner (R-Colo.) at the outset of yesterday's hearing. He added that "hackers are certainly trying to create that kind of havoc in the U.S."
Thomas Zacharia, deputy director for science and technology at Oak Ridge National Laboratory, noted that his agency would be called on to support the working group if King's "retro" security bill is enacted.
He told senators that a "two-year pilot to really explore what is possible, to get out in front of this evolving challenge, is probably the best thing we can do."
Industry speakers at the hearing pointed to existing efforts to lock down the power grid from hackers.
John Di Stasio, president of the Large Public Power Council, which represents some of the biggest locally owned utilities in the country, said his group supports the "Securing Energy Infrastructure Act" on the condition that it doesn't get ahead of any existing cybersecurity requirements set by NERC.
"We've got a very robust cyber compliance and enforcement program," he said, noting that the industry has come "a long way" in improving cyberdefenses over the last 10 years. "I feel like we've got some of the essential building blocks in place."
Ben Fowke, CEO of Minneapolis-based utility Xcel Energy Inc., offered a tepid endorsement of King's bill, noting that Xcel "does not object" to the legislation based on its voluntary nature and liability protections for companies that contribute to the working group.
Fowke was more supportive of broader efforts to streamline the government's handling of cybersecurity, such as an effort by Gardner and Sen. Chris Coons (D-Del.) to create a Select Committee on Cybersecurity to cut down on some of the overlap in Congress.
"We just need to coordinate better," said Fowke. "There's a lot of work being done, but it's being done by a lot of agencies, it's being done by a lot of congressional committees. ... I think we're getting better at coordinating, but the bad actors are getting better at attacking us at the same time."
# # #