On February 14, the  Federal Energy Regulatory Commission (FERC) Chairman Neil Chatterjee testified before the Senate Energy & Natural Resources Committee to discuss cybersecurity in the energy industry. Chatterjee had three specific points to bring up in his testimony: “first, the evolution of mandatory reliability standards; second, the voluntary partnerships FERC has established with industry and other agencies; and third, the interdependency of the electric and natural gas systems.”

For the mandatory reliability standards, Chatterjee discussed the ruling under the Federal Power Act that gave FERC “authority to approve mandatory reliability standards developed by the North American Electric Reliability Corporation (NERC).” After these are approved, they become mandatory and either NERC or FERC enforces them. “NERC’s standards for cybersecurity, known as the Critical Infrastructure Protection (CIP) standards, became mandatory and enforceable in 2009.”

In the last ten years, “the CIP standards have matured considerably and now form an effective framework for protections against cyber threats,” Chatterjee said. As a result of the standards maturing, “the need for constant revisions to address discrete issues and, instead, has allowed both FERC and NERC to focus on tackling emerging threats.”  Chatterjee brought up two recent actions that FERC has taken in regard to this. “First, at our October 2018 Commission Meeting, FERC approved NERC’s proposed reliability standards to address supply chain threats. This action is particularly significant given that these specific threats to the energy sector continue to grow. Second, at our July 2018 Commission Meeting, FERC approved a final rule directing NERC to expand reporting requirements for critical systems.”

Chatterjee said the final ruling “directed NERC to develop a standard that requires registered entities to report successful and attempted intrusions into critical systems to NERC’s Electricity Information Sharing and Analysis Center, as well as to the Department of Homeland Security.” The Chairman said this was “an important step toward enhancing the collection and distribution of information on rapidly evolving threats.”

As for voluntary partnerships, Chatterjee said that even though the CIP standards are an “important baseline for cybersecurity practices,” merely complying “is not enough to achieve cybersecurity excellence.” FERC has developed “two-prong approach to address threats to energy infrastructure: mandatory reliability standards overseen by our Office of Electric Reliability, and voluntary initiatives overseen by our Office of Energy Infrastructure Security (OEIS).” OEIS works with partners in state and federal agencies as well as those in the industry “to develop and promote best practices for critical infrastructure security. These initiatives include … voluntary architecture assessments of interested entities, classified briefings for state and industry officials, and joint security programs with other government agencies and industry.”

Chatterjee wants to continue strengthening those partnerships, and in the spirit of that, FERC is holding a joint technical conference with the Department of Energy on March 28. “The conference will explore current threats against energy infrastructure, best practices for mitigation, current incentives for investing in physical and cybersecurity protections, and cost recovery practices at both the state and federal level.”

As for the interdependency of the electric and natural gas systems, Chatterjee expressed his concerns that “because of our nation’s growing use of natural gas for power generation, a successful cyberattack on the natural gas pipeline system could have a significant impact on the electric grid.”

“I recently met with TSA Administrator David Pekoske to discuss pipeline cybersecurity and was impressed by his focus on this vital issue as well as his pledge to taking further action to improve TSA’s oversight of pipeline security. While I think both industry and government have made significant strides toward addressing this issue, I believe more work still needs to be done, and the Commission stands ready to assist in these efforts.”

A full video of Chatterjee’s testimony can be viewed here.

• FERC