Because FERC's regulatory authority is limited to the interstate high-voltage transmission network, it has no direct influence over cybersecurity on utility distribution grids that deliver power to customers in cities. State utility commissions oversee that part of the grid. FERC and the National Association of Regulatory Utility Commissioners, the American Public Power Association and the National Rural Electric Cooperative Association are trying to harmonize a common approach, Wellinghoff said in a response to GAO last month.
After years of disjointed efforts since the 2005 act passed, the cyber issue has begun to move on some fronts, officials said, although some difficult regulatory policy negotiations still lie ahead.
Jurisdictional disputes remain
NERC's board of directors approved in December a new detailed checklist that power and transmission companies are to follow in identifying critical parts of their systems that will be subject to cyber protection regulation. The checklist responds to criticism from some members of Congress and FERC's staff that some utilities had kept critical facilities off the "critical assets" list to limit the future reach of cyber legislation. That new policy awaits FERC action.
NERC's trustees also approved in December a new regulatory approval process that is designed to prevent new cyber and reliability standards sought by FERC from being shelved because they failed to win approval by a supermajority of NERC's power company members. The federal regulators had directed NERC in March 2010 to come up with a solution to the impasse issue, and a year later, a resolution is about to occur, with a final approval from FERC expected soon, officials said.
Another jurisdictional issue involving nuclear plants has been overcome. The Nuclear Regulatory Commission has agreed to take oversight responsibility for cybersecurity of all systems at nuclear power plants, not just the reactors, officials said. A memorandum of understanding between the NRC and FERC resolves this question.
But a new Senate initiative is likely to reignite the federal-state jurisdictional quarrel over cyber standards.
Wellinghoff, in his March 10 letter to the GAO, said that the Federal Power Act, which applies to high-voltage interstate power transmission, "excludes virtually all of the grid facilities in certain large cities such as New York, thus precluding Commission action to mitigate cyber security or other national security threats to reliability that involve such facilities and major population areas. It is also important to note that much of the smart grid equipment will be installed on distribution facilities and will not fall under the Commission's Federal Power Act jurisdiction."
Last week, Chairman Jeff Bingaman (D-N.M.) of the Senate Energy and Natural Resources Committee and ranking Republican Lisa Murkowski (R-Alaska) circulated a draft bill on cyber protection policy that would give FERC the authority over critical distribution networks that it has been seeking. The proposed language says the bill would cover the "generation, transmission, or distribution of electric energy affecting interstate commerce" that federal authorities consider to be vital to U.S. security or national public health and safety.
Wide gap between least and most protected
A hearing on the legislation will be held in May, the committee said. Majority Leader Harry Reid (D-Nev.) has begun meetings with leaders of several Senate committees interested in the cybersecurity issue, seeking a coordinated path toward action this year, Senate aides said.
But even the successful completion of standards and rules for cyber protection for the power sector won't be enough if the technical competency of the industry's cyber managers is not upgraded, Assante insists.
The case study Assante cites is the Stuxnet computer worm, which industry experts believe penetrated a part of Iran's nuclear power infrastructure in mid-2009, damaging some of its critical uranium enrichment centrifuges.