Life Support – Ensuring Proper Regulation of the Electric Grid

With few exceptions, human beings in the United States are literally on life support – plugged in to the electric grid. If that connection is unplugged, everything necessary to sustain the human population stops, including: food, water, fuel, transportation, medical resources, communications, and financial resources. According to a 28 March 2017 Senate report, in a long-term national-scale blackout, millions of U.S. citizens could die. After only a few weeks, deaths would escalate from waterborne diseases, starvation, and societal collapse. Immediate action could reduce these threats.

The bulk power system (“the grid”) is actually comprise of more than 1,000 companies – both public and private sector – that operate in an interconnected system to facilitate the generation, transmission, and distribution of electrical power. The grid is comprised of power generation – such as nuclear, coal, and gas-fired power plants, wind turbines, and solar farms – and high-voltage transmission lines that span long distances across the country and local distribution lines. This interconnected – and vulnerable – patchwork is what allows the United States to support its human population.

Regulating the Grid

The North American Electric Reliability Corporation (NERC), a not-for-profit corporation, acts as the self-regulatory organization “whose mission is to assure the reliability of the bulk power system (BPS) in North America.” The Federal Energy Regulatory Commission (FERC) is an independent federal agency that regulates the interstate transmission of electricity, natural gas, and oil. FERC’s specific authority over the electric grid is to “oversee the reliability of the bulk power system.” The grid regulation process between NERC and FERC is complex.

Adding another layer of complexity, the bulk power system consists of approximately 1,500 entities operating at 100 kilovolts or higher, which are regulated by NERC, and overseen by FERC. However, the bulk power system does not include distribution to end-users, which falls under the jurisdiction of state public utility commissions. This means that there are more than 50 state and federal government agencies as well as a number of nonprofit corporations involved in the regulation of the electric grid.

The Energy Policy Act of 2005 added Section 215 to the Federal Power Act. This gave FERC the authority to certify an organization as an “Electric Reliability Organization” (ERO), which would develop reliability standards for the industry, subject to FERC’s approval. This equates to the industry writing its own reliability standards. On 20 July 2006, FERC certified NERC as the ERO. Other entities objected and administrative appeals and litigation ensued. Section 215 states that FERC,

[U]pon its own motion or upon complaint, may order the Electric Reliability Organization to submit to the Commission a proposed reliability standard or a modification to a reliability standard that addresses a specific matter if the Commission considers such a new or modified reliability standard appropriate to carry out this section.

In other words, FERC can order NERC to develop a particular standard and submit it for FERC’s review and approval, but this is time consuming. For example, inadequate vegetation management (i.e., a tree branch in Ohio) caused the “Great Northeast Blackout” of 14 August 2003. The ensuing cascading failure resulted in 55 million people out of power – almost the entire northeastern United States and part of Canada. This blackout was the direct impetus to develop a standard for vegetation management. It took the industry and FERC until 21 March 2013 – nearly a decade – to establish and approve a final rule for “Transmission Vegetation Management” (FAC-003-2).

Funding & Controlling NERC

NERC’s annual funding is provided through assessments to the entities that it regulates. Moreover, although technically anybody can become a “member” of NERC, the membership structure favors the electric industry as far as the election of NERC’s “independent trustees” (the board that governs NERC). According to NERC rules, all members are assigned to one of 12 groups:

1. Investor-owned utility
2. State/municipal utility
3. Cooperative utility
4. Federal or provincial utility/Federal Power Marketing Administration
5. Transmission-dependent utility
6. Merchant electricity generator
7. Electricity marketer
8. Large end-use electricity customer
9. Small end-use electricity customer
10. Independent system operator/regional transmission organization
11. Regional entity
12. Government representatives

With two sectors being customers, one being the government, and the other nine being the electric industry, the electric industry gets 9 votes whereas customers and the government get 3. In essence, NERC is funded, run, and its leadership elected by the electric utility industry that it allegedly regulates. Thus, FERC (the government) cannot easily tell NERC (the industry) what to do. In this structure, the “ratepayers” have little voice. However, the need to secure the grid and the dependent critical infrastructure is a national security issue.

Lobbying to Fight Against Electric Grid Security

When electric customers pay electric bills, they are paying for NERC and industry groups like the Electric Power Research Institute (EPRI) and the Edison Electric Institute (EEI). Both of these groups are funded by the electric utility industry. Put simply, paying an electric bill means paying for an army of lawyers and lobbyists who are fighting against stricter grid security regulations and lobbying against protections from a catastrophic national-scale power outage. In fact, according to The Center for Responsive Politics, the electric utilities in 2018:

• Spent $122,281,276 on lobbying
• Made total contributions of $24,413,992 (including soft money and PACs)

o   Including of $12,059,457 in political contributions to members of the House

o   Including $3,731,572 in in political contributions to members of the Senate

There is no federal law that says that the grid has to protect itself from hazards and threats. The minimum effort being made currently is not enough to protect families and secure the grid from threats such as EMP, GMD, cyberattacks, extreme weather, and errant tree branches.

Notifying the Public on Electric Disturbance Events

In 1974, Congress passed the Federal Energy Administration Act, which created a new government agency to oversee energy in response to the oil embargo of 1973. A few years later, the Federal Energy Administration became the Department of Energy (DOE), which is tasked with collecting information on “electric disturbance events.” DOE collects this information on what is known as a Form OE-417 (“Electric Emergency Incident and Disturbance Report”). Only a small amount of this information is available to the public in the form of a spreadsheet that is difficult to find, even more difficult to read and analyze, and not frequently updated.

DOE maintains archives (2000 to present) of these spreadsheets on its website. The form has changed a bit over the years and has changed names from the EIA-417 to the present OE-417. Depending on the type of event (or “alert criteria”), there are three different time requirements for reporting:

• An “Emergency Alert” must be reported within 1 hour
• A “Normal Report” must be filed within 6 hours
• A “System Report” must be filed within 1 business day.

In addition, updates are required if there are significant changes to the initial report and a final report must be filed within 72 hours. There are 24 alert criteria listed on the Form OE-417 and the instructions.

A personal analysis of all the publicly available OE-417 data from 2010 through May of 2019 revealed 166 different “event types” reported, many of which were either duplicates or related. For example, there were at least 24 different “event types” that denoted a physical attack. There were at least 50 “event types” that denoted a disturbance caused by weather. Grouping these 166 “event types” into 15 categories (actually “causes”) provides a sense of what has actually threatened the electric grid in the past 8.5 years.

There have been 1,766 electric disturbance events filed on OE-417 reports during the period of 1 January 2010 through 31 May 2019. However, for 251 (14%) electric disturbance events, it was not possible to identify a cause. Also, there were 68 generation, transmission, and distribution interruptions that could not be distilled into what caused the “interruptions.” Therefore, there were 319 (18%) electric disturbance events where the cause could not be identified. The 1,447 (82%) known electric disturbance events revealed the following:

• 749 (52%) weather-related events
• 578 (40%) physical attacks on the grid
• 61 (4%) fuel supply deficiency events
• 29 (2%) cyberattacks
• Other 30 (2%) disturbance events were equipment (15), natural disaster (10), and wildfire (5)

Comparing OE-417 & NERC Reliability Reports

There is a disconnect between what the industry defines as a cybersecurity or physical security incident and what is reported on the OE-417s. During the 2010-2018 period, NERC reported the following in its annual reports:

• 2019 Report (page ix): “In 2018, there were no reported cyber or physical security incidents that resulted in an unauthorized control action or loss of load.”
• 2018 Report (page viii): “In 2017, there were no reported cyber or physical security incidents that resulted in a loss of load.”
• 2017 Report (page 3): “In 2016, there were no reported cyber or physical security incidents that resulted in a loss of load.” (Note: The Buckskin Utah transformer attack took place in 2016.)
• 2016 Report (page v): “In 2015, there were no reported cybersecurity incidents that resulted in loss of load. There was one physical security incident that resulted in a loss of approximately 20 MW of load.”
• 2015 Report (page 7): “[N]o reportable cyber security incidents or physical security reportable events resulted in loss of load on the BPS in 2014.” (Note: The Nogales Station in Arizona was attacked by an IED in 2014.)
• 2014 Report: No mention of cyber or physical attacks. (Note: The Metcalf Transformer attack took place in 2013.)
• 2013 Report: No mention of cyber or physical attacks.
• 2012 Report: No mention of cyber or physical attacks.
• 2011 Report: No mention of cyber or physical attacks.

Despite the Metcalf attack, the Nogales attack, and the Buckskin attack being significant physical attacks against the grid, NERC did not include any of it in its annual reports. In contrast, with regard to cyberattacks, the U.S. Government Accountability Office (GAO) stated the following in Congressional testimony on 21 October 2015:

Cyber incidents continue to affect the electric industry. For example, the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team noted that the number of reported cyber incidents affecting control systems of companies in the electricity subsector increased from 3 in 2009 to 25 in 2011. The response team reported that the energy sector, which includes the electricity subsector, led all others in fiscal year 2014 with 79 reported incidents. Reported incidents affecting the electricity subsector have had a variety of impacts, including hacks into smart meters to steal power, failure in control systems devices requiring power plants to be shut down, and malicious software disabling safety monitoring systems.

Between 2010 and 31 May 2019, 578 physical attacks and 29 cyberattacks against the grid were reported on the OE-417s, but the NERC only reported one physical attack and no cyberattacks. In addition, DHS has a completely different number of cyber incidents than DOE, whose numbers are different from NERC.

Recommendations

The public and Congress are currently not getting enough information to determine: (1) what incidents are occurring; and (2) whether the regulatory regime is effective. First, NERC is withholding the names of critical infrastructure protection (CIP) violators, which means that any egregious or repeat violators cannot be identified and held accountable. Second, the flawed OE-417 information lacks the causes behind 18% of the reported disturbances. Finally, there is an unexplained disparity between the OE-417 reports and the NERC annual reliability reports. These deficiencies must be corrected and could be addressed with the following recommendations.

• For the Department of Energy (DOE):

o   List a root cause for every disturbance reported on each OE-417;

o   Ensure accuracy in the “Number of Customers Affected” block on the OE-417; and

o   Convey the same information on the OE-417 and the NERC reliability reports (since DOE owns the OE-417, ask NERC to address the OE-417 data in its annual reliability reports).

• For the Federal Energy Regulatory Commission (FERC):

o   Convey the same information on the OE-417s and the NERC reliability reports (as NERC’s regulator, ask NERC to address the OE-417 data in its annual reliability reports); and

o   Provide transparency and disclosure of the names of CIP violators in order to incentivize the industry to fix the longstanding physical and cybersecurity weaknesses that plague the electric grid.

• For the North American Electric Reliability Corporation (NERC):

o   Understand that NERC is not the industry’s champion, but rather its regulator;

o   Disclose the names of the CIP violators once violations are mitigated, which would incentivize the industry to improve cyber and physical security; and

o   Discuss and analyze the OE-417 data in NERC’s annual reliability reports.

• For Congress:

o   Develop legislation to ensure that the public and Congress receive reliable and accurate data on the threats to the electric grid.

The electric grid is vulnerable to numerous threats. Protecting the names of CIP violators is an avoidable risk. For national security of critical infrastructure, the industry must hold some accountability for physical security and cybersecurity.