The House and Energy Commerce
Committee decided against considering legislation today (9/23) that would give
emergency powers to the Federal Energy Regulatory Commission (FERC) in order to
protect the nation's power grid against cyber-attacks to the electrical
grid. This authority would apply to "users, owners and operators" of the
bulk power system.
Committee Chairman John Dingell
(D-MI) and energy subcommittee chairman Rick Boucher (D-VA) attempted to
fast-track the bill in these last few weeks before adjournment, but full
committee Ranking Member Joe Barton (R-TX) objected to the bill moving forward
because he believes it does not go far enough in giving FERC new
authority.
A coalition of electric utility
trade associations (including APPA, NRECA, EEI
and ELCON) had been negotiating with FERC to reach consensus, but they remained
at odds on a few critical matters. However, the most recent Committee
discussion draft contained language that that the industry coalition was
comfortable with:
-FERC's new emergency authority will
apply only to cyber security threats - not to cyber security "and other
national security threats."
-Definition of cyber security threat requires finding of
credible evidence of both: 1.) A likelihood of a
malicious act that could disrupt the operation of programmable electronic
devices and communications networks; and 2.) A substantial
possibility of disruption to the operation of such devices and networks in
the event of such a malicious act.
-Voluntary
plan developed by distribution utilities in Hawaii, Alaska and Guam to deal with cyber security threats to military
installations. The real issue is whether FERC's authority should
extend to distribution systems in those areas or just to the "bulk
power system," which does not reach down to the distribution system level.
Dingell signaled that another
Committee meeting would not occur this year. So while the issue may be
dead for this Congress, it could be a legislative priority in the 111th
Congress.
In a related matter, on September
18, FERC proposed to improve cyber security and close what it considers a
"potential regulatory gap" by clarifying that the facilities within U.S.
nuclear generating plants that are not regulated by the Nuclear Regulatory
Commission (NRC) must comply with FERC mandatory reliability standards on
Critical Infrastructure Protection (CIP).