Skip Navigation

Grid Security Exercise Wraps Up With Strong Public Power Participation

November 22, 2021

by Paul Ciampoli
APPA News Director
November 22, 2021

The North American Electric Reliability Corporation’s (NERC) last week wrapped up its grid security exercise, GridEx VI, with a large number of public power utilities participating in the exercise.

Over two days, more than 700 planners led their organizations’ efforts to exercise their response and recovery plans in the face of simulated, coordinated cyber and physical attacks on the North American bulk power system and other critical infrastructure.

This year, GridEx participants expanded to include more representation from public power, co-op and municipal entities, Canadian partners and other critical infrastructure sectors, such as natural gas, original equipment manufacturers, financial services, and telecommunications, NERC said. Approximately 60 public power utilities participated.

Hosted every two years by NERC’s Electric Information Sharing and Analysis Center (E-ISAC), GridEx is the largest grid security exercise in North America.

GridEx is “designed for utilities and government stakeholders to both exercise their response and recovery plans as well as to grease the skids for collaboration efforts during a massive cyber and physical security event that we hold in a simulated environment,” said Jim Robb, president and CEO of NERC, in a roundtable with media on Nov. 18.

“Of course, since we last held GridEx in 2019, the threat environment has changed significantly,” he said. “In addition to dealing with the pandemic, many entities have had to implement response and recovery plans in the face of actual cyber and physical attacks,” Robb said.

“This is our sixth GridEx and we’re very pleased this year that we’ve seen increased interest and participation” from public power utilities, among others, “despite the strains of the pandemic,” he said.

Kevin Wailes, administrator and CEO of Nebraska public power utility Lincoln Electric System and ESCC co-chair, said that “when we go through this process, it’s not just this event that we are preparing for, but it’s those that we have actually experienced, even this year.”

By way of example, he pointed to Hurricane Ida. “This same group of people, to a large extent,” played roles in helping to respond to the hurricane, Wailes noted.

Wailes discussed GridEx during a recent appearance on the American Public Power Association’s Public Power Now podcast.

The exercise concluded with an invitation-only executive tabletop session, which brought together industry and government executives to focus on strategic and policy-level issues raised during the exercise.

Robb noted that the tabletop exercise participants include executives from the electricity, natural gas, telecommunications and financial services industries, the Electricity Subsector Coordinating Council (ESCC) and senior federal government officials from the Department of Homeland Security and the Department of Energy (DOE), among others, “as well as our Canadian partners.”

Following GridEx VI, the E-ISAC will develop a public report on the exercise with input from all participants. The report is scheduled to be released in March 2022.

Since the last GridEx in 2019, the cyber security landscape has continued to evolve, guided by geopolitical events, new vulnerabilities, changes in technologies, and increasingly bold cyber criminals and hackers, NERC said.

Lessons learned from GridEx over the years include tangible recommendations for entities as well as industry-wide insights leading to strengthened crisis communication procedures across the industry such as the development of the cyber mutual assistance program, which has proven to be a critical resource, NERC said.

EPB, National Laboratories Earn Award For Cyberattack Protection Technology

November 16, 2021

by Paul Ciampoli
APPA News Director
November 16, 2021

Chattanooga, Tenn.-based public power utility EPB and the Oak Ridge and Los Alamos National Laboratories have received an award for a joint project that is developing technology to protect America’s electric grid from cyberattacks. 

Specifically, the public power utility and the national laboratories received an R&D 100 Award. Established in 1963, the R&D 100 Awards annually recognize 100 accomplishments in research leading to new commercial products, technologies and materials from around the world notable for their technological significance. 

Oak Ridge National Laboratory, Los Alamos and EPB have worked together for several years on the “QED: Quantum Ensured Defense of the Smart Electric Grid” project. 

QED uses quantum communications in an effort to protect power grid control signals from third-party infiltration. EPB is the only utility in the U.S. that is field testing this quantum technology.

The technology harnesses single particles of light, or photons, to distribute cryptographic keys that can be used to lock control signals into secret codes to protect the electric grid. This novel method brings the security assurances of quantum communication systems to long-haul distances of electric grid systems.

The team has demonstrated the operational use of QED on part of a 21-kilometer field test bed on EPB’s smart grid and 100% fiber optic network in Chattanooga, Tenn. Together the scientists are seeking ways to escape the ongoing attack-defend cycle of cybersecurity breeches by developing this new method of protecting information.

This project is part of a larger collaboration including industry partner Qubitekk, based in San Diego, California.

Funding for this project was provided by the U.S. Department of Energy’s Office of Cybersecurity, Energy Security and Emergency Response.

EPB serves the greater Chattanooga area and delivers electricity to more than 170,000 homes and businesses across our 600 square mile service area which includes most of Hamilton County as well as parts of surrounding counties in both Tennessee and Georgia.

In 2010, EPB Fiber Optics, which offers internet, TV, and telephone services, became the first provider in the United States to deliver up to 1 Gig internet speeds utilizing a community-wide fiber optic network which is accessible to every home and business in its service area.

In 2015, EPB became the first, and to date, only American internet service provider to make up to 10 Gig (10,000 Mbps) internet speeds accessible to all its residential and commercial customers as a standard offer.

EPB has also utilized its community-wide fiber optic network to deploy the most advanced and highly automated smart grid power management system in the nation.

Ditto Details Utility Sector’s Proactive Approach to Guard Against Cyberattacks

October 13, 2021

by Paul Ciampoli
APPA News Director
October 13, 2021

Among the many steps that the electricity sector takes to proactively guard against cyberattacks are tabletop exercises under which utility operators respond to a scenario and work through responses, said Joy Ditto, President and CEO of the American Public Power Association (APPA), on Oct. 6.

If such a scenario becomes a reality, “they have those lessons learned to apply,” Ditto said during a cyber summit held by the Aspen Institute.

Collaboration among the electric sector, government agencies and other industries plays a key role in the success of these exercises, Ditto pointed out.

“There’s a lot we do to try to prepare,” she said. “We’re looking at prevention, but we’re also looking at if something happens and if we have to stand ourselves back up, how do we do that?”

There are various scenarios that are examined over time “because we don’t want to have the hubris that this is not going to ever have an operational consequence.”

One example of how the energy sector regularly drills for potential cyber and physical attacks is the North American Electric Reliability Corporation’s GridEx.

The GridEx exercise, which began in 2011, allows utilities, government partners and other critical infrastructure participants to engage with local and regional first responders, exercise cross-sector impacts, improve unity of messages and communication, identify lessons learned and engage senior leadership. Public power participation increased 47%, from GridEx IV in 2017 to GridEx V. The next GridEx takes place Nov. 16-17, 2021.

Meanwhile, Ditto noted that digital components began to be installed onto the power grid in the 1980s to create efficiency, foster situational awareness and boost reliability.

When this technology was first developed there was not a full appreciation for cybersecurity vulnerabilities.

“When we started to realize that there was a cybersecurity issue, we started to bake in cybersecurity but we had to go back and reconfigure some of those legacy systems and that’s been part of the challenge to us,” Ditto said.

Noting the wide range of sizes among public power utilities, Ditto said that about half of APPA’s member utilities have no digital components on their distribution grids.

“But they will be looking to do so in the future, and I think one advantage they may have there is they can really bake that cybersecurity in on the front end when they’re developing those digital systems” to do things like integrating distributed energy resources, responding to customer needs or thinking about greenhouse gas emissions reductions “more fully on their distribution grids.”

For those public power utilities that already have digital components on their grids, “as we create more digital components to address” evolving customer needs and climate change, “we do now have an opportunity to really think much more strategically and fully about cybersecurity and I know our vendor community is working with us very heavily to do that.”

In July 2021, the Biden Administration released a national security memorandum on cybersecurity for industrial control systems. The memorandum outlined how critical industry sectors including energy should protecting themselves from cyberattacks.

Ditto noted that in the memo and in some actions subsequently taken to flesh out that memo, there are performance goals that will apply across critical infrastructure sectors. “They are voluntary. We agree with the voluntary goals. Where we sometimes get a little bit concerned is” when there are mandates in this space. “Because it is ever evolving it might make us a little bit more about compliance rather than addressing things in a timely manner and in a flexible manner.”

She pointed out that “we’re the only critical infrastructure sector” of the 16 critical infrastructure sectors “that have mandatory and enforceable reliability standards on our bulk power system that include cybersecurity standards.”

Senate Committee Approves Cyber Incident Report Legislation

October 7, 2021

by Paul Ciampoli
APPA News Director
October 7, 2021

The Senate Homeland Security and Government Affairs Committee on Oct. 6 approved S. 2875, the Cyber Incident Reporting Act of 2021.

The legislation would require critical infrastructure owners and operators to report to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours if they are experiencing a cyber-attack.

The bill would also create a requirement for critical infrastructure entities and other organizations, including nonprofits, certain businesses, and state and local governments, to notify the federal government within 24 hours if they make a ransom payment.

Sen. Gary Peters (D-Mich.), chairman of the committee, wants to offer the bill as an amendment to the Fiscal Year 2022 National Defense Authorization Act (NDAA) when it comes to the Senate floor. It is currently unknown when the Senate will consider the NDAA.

In late August, Joy Ditto, President and CEO of the American Public Power Association, and Jim Matheson, CEO of the National Rural Electric Cooperative Association, said that if Congress chooses to enact broad mandatory cyber incident reporting legislation for critical infrastructure, the associations agree with the principles laid out in an August 27 letter lead by the Information Technology Industry Council (ITI) and endorsed by numerous other critical infrastructure sector entities and associations. 

In that letter, ITI and the other entities and associations said that in order to ensure an effective incident reporting regime that leverages the limited resources of federal agencies, enables regulatory compliance, provides liability protections, and advances national cybersecurity interests, policymakers in Congress should, at a minimum, follow five key principles:

CISA and NIST Take First Step in Implementing Presidential Memo on Cybersecurity

October 5, 2021

by Peter Maloney
APPA News
October 5, 2021

The Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) have identified recommended cybersecurity practices intended to serve as the foundation for preliminary control system cybersecurity performance goals.

The recommendations were made to comply with a July 28 presidential memorandum on national security that established a voluntary initiative intended to foster collaboration between the federal government and the critical infrastructure community to improve cybersecurity of control systems.

The memorandum instructed the Department of Homeland Security (DHS) to lead the development of preliminary cross-sector control system cybersecurity performance goals as well as sector-specific performance goals within one year of the date of memorandum. The goals are intended to provide a common understanding of the baseline security practices that critical infrastructure owners and operators should follow to protect national and economic security, as well as public health and safety.

As an initial step in that process, CISA and NIST looked at available control system resources and recommended practices that have been generated by government and the private sector.

CISA and NIST identified nine categories of recommended cybersecurity practices to serve as the foundation for preliminary control system cybersecurity performance goals.

The nine categories are:

Each of the nine goals includes specific objectives that support the deployment and operation of secure control systems that are further organized into baseline and enhanced objectives.

All the outlined goals are foundational and represent high-level cybersecurity best practices and are not intended as an exhaustive guide to all facets of an effective cybersecurity program, CISA and NIST said. The enumerated goals are preliminary and were developed and refined with as much interagency and industry input as practical during the initial timeline of the overarching cybersecurity initiative.

The Department of Homeland Security said it expects to conduct much more extensive stakeholder engagement as the goals are finalized in the coming months.

Groups Outline Concerns with Mandatory Cyber Incident Reporting Legislation Under Consideration

September 14, 2021

by Paul Ciampoli
APPA News Director
September 14, 2021

The American Public Power Association (APPA) and the National Rural Electric Cooperative Association (NRECA) do not support including electric utilities in mandatory cyber incident reporting legislation currently under discussion in Congress because the legislation treats all critical infrastructure entities as equally impactful to national security and puts the onus on the critical infrastructure entity to share information with multiple government agencies.

Joy Ditto, President and CEO of APPA, and Jim Matheson, CEO of NRECA, outlined the concerns of the associations in an Aug. 30 letter to a number of key lawmakers in the House and Senate.

“We are writing to you regarding several introduced and draft bills that would mandate critical infrastructure sectors to report ‘cyber incidents’ to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS CISA),” Ditto and Matheson wrote.

“We believe that the incident reporting mandates currently under discussion would burden electric utilities — especially smaller public power and cooperative utilities — with increased administrative tasks that will not materially increase their, or the country’s, cybersecurity posture, but would likely divert limited resources away from securing and defending systems,” Ditto and Matheson said.

They said that electric utilities “take very seriously their responsibility to maintain a secure and reliable electric grid. It is the only critical infrastructure sector that has mandatory and enforceable federal regulatory standards in place for cyber and physical security (collectively known as grid security).”

These standards include mandatory reporting of specific cyber incidents to the Department of Energy (DOE) via an Electric Emergency Incident and Disturbance Report (OE-417) and to the North American Electric Reliability Corporation and the Federal Energy Regulatory Commission, the letter pointed out.

Outside of these mandatory reporting standards, all electric utilities, including public power utilities and rural electric cooperatives, participate in robust voluntary information sharing systems such as the Electric Subsector Coordinating Council and the Electricity Information Sharing and Analysis Center, as well as the Multi-State Information and Sharing Analysis Center for public power, Ditto and Matheson said.

Most recently, electric utilities have worked closely with the National Security Council, DOE, and DHS on the “100 Day Electric Sector Industrial Control Systems Cybersecurity Sprint” to encourage and support utilities’ visibility and monitoring of their industrial control system and operational technology networks, as well as automated sharing into government. “It is not clear how these bills would impact these existing voluntary channels or existing or planned machine-to-machine sharing,” wrote Ditto and Matheson.

The biggest concerns of APPA and NRECA with the various versions of incident reporting legislation currently under discussion can be grouped into two broad categories.

First, the legislation “treats all critical infrastructure entities as equally impactful to national security — there is no accounting for the wildly differing risk profiles of an electric utility serving millions of customers and a small distribution electric utility without an industrial control system [a type of operational technology] serving 250 customers.”

Second, the legislation “puts the onus on the critical infrastructure entity to share information with multiple government agencies, instead of encouraging and facilitating the sharing of information between and among agencies.”

While those are the two most significant concerns, “we are also concerned that some proposals include heavy financial fines for failure to report within a very short time period,” Ditto and Matheson told the lawmakers. “All of our members must be able to focus on the matter at hand in the event of a breach and should be given the flexibility to report once the crisis is understood and being managed. There has also been little discussion on how mandatory reporting requirements would impact long existing and robust voluntary information sharing systems nor on what the government’s responsibility is in terms of actionable information sharing and support.”  

If Congress chooses to enact broad mandatory cyber incident reporting legislation for critical infrastructure, Ditto and Matheson said that they agree with the principles laid out in an August 27 letter lead by the Information Technology Industry Council (ITI) and endorsed by numerous other critical infrastructure sector entities and associations. 

In that letter, ITI and the other entities and associations said that in order to ensure an effective incident reporting regime that leverages the limited resources of federal agencies, enables regulatory compliance, provides liability protections, and advances national cybersecurity interests, policymakers in Congress should, at a minimum, follow five key principles:

Government, Power Sector Have Made Major Strides Tied To Infrastructure Cybersecurity Initiative

August 27, 2021

by Paul Ciampoli
APPA News Director
August 27, 2021

Key federal government agencies and the electricity industry have made significant strides in support of White House goals   aimed at boosting the cybersecurity of critical infrastructure in the U.S., the Department of Energy (DOE) recently reported.

In April 2021, the Biden Administration launched an Industrial Control Systems (ICS) Cybersecurity Initiative to meet its goal of strengthening the cybersecurity of the critical infrastructure across the country.

The initiative was kicked off with a 100-day action plan for the U.S. electricity subsector led by the DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) in close coordination with the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), and the Electricity Subsector Coordinating Council (ESCC).

On July 28, 2021, President Biden further emphasized the importance of this initiative and broader cybersecurity efforts through his National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems.

The electricity subsector action plan is the first in a series of sector-by-sector efforts to protect the country’s critical infrastructure from cyber threats and leverages the important public-private partnerships established by Sector Risk Management Agencies, such as DOE for the energy sector, and CISA, DOE said.

Since the launch, CESER, CISA, and the electricity industry have made significant strides in support of the initiative, DOE said.

At least 150 electric utilities have adopted or committed to adopting technologies to further improve the security of the operational technologies (OT) and ICS that manage the nation’s electric systems, by enhancing the visibility, detection, and monitoring of these critical networks. The American Public Power Association (APPA) continues to reach out to members regarding participation in the initiative.   

DOE said that in furtherance of the initiative, control system cybersecurity experts at CESER, CISA, and the National Security Agency’s Cyber Directorate developed a set of ICS monitoring technology evaluation considerations for reference by the electricity subsector. These evaluation considerations, as recently updated, can be found here.

In addition to accelerating the deployment of OT/ICS cyber monitoring technologies, the initiative has also sparked a range of activities in the electricity subsector like incentivizing cybersecurity investments and discussing the value of cyber insurance, according to DOE.

DOE said that it is committed to continue working with the ESCC in support of this initiative and broader cybersecurity efforts.

DOE is also providing technical and analytical support to some of the smaller utilities in the U.S., municipal and rural cooperative electric utilities, through collaborations with APPA and the National Rural Electric Cooperative Association. “These collaborations will provide financial support to ensure that those utilities can deploy OT/ICS monitoring capabilities, perform risk assessments and architectural reviews, and provide training to utility workers using the technologies,” DOE said.

Meanwhile, DOE also recently issued an updated version of the Cybersecurity Capability Maturity Model (C2M2) to help utilities assess and improve the cybersecurity of their information and operational technology systems. DOE is encouraging all electric utilities to leverage C2M2 to assess the cybersecurity posture of their organizations to help make informed cybersecurity investment decisions.

Special Series: Managing Insurance Risks Takes On Greater Significance With Natural Disasters, Cyber Attacks – Part One

August 23, 2021

by Paul Ciampoli
APPA News Director
and Peter Maloney
August 23, 2021

Per member requests, the American Public Power Association presents this in-depth Public Power Current newsletter series on managing insurance risks. Thank you to the utility systems and industry experts for their contributions about what is happening in the insurance market that is affecting policy coverage and prices (Part 1); types of “best practices” utilities can utilize to minimize their exposure (Part 2); and what potential alternatives may be available to help in a challenging insurance market (Part 3). 

Risks to utility operations are rising and with them the cost of insurance is rising too.

In this environment, it can be difficult for a public power utility to retain essential insurance coverage while containing costs. The fact of the matter is that insurance companies have had to make large payouts to customers who have suffered massive losses.

Losses from natural disaster hit $133 billion in 2017, a historic high, according to the Insurance Information Institute. That year saw a deadly combination of hurricanes – Harvey, Maria and Irma – as well as costly California wildfires. Losses due to natural catastrophe fell in 2018 and 2019, but rose again in 2020, hitting $74.4 billion, an 88 percent increase from $39.6 billion of losses in 2019.

In 2020, the most costly losses came from storms and cyclones, which accounted for about 75 percent of the $119 billion in losses, followed by wildfires, accounting for nearly 20 percent of losses, and flooding, which accounted for 4 percent of losses, according to the Insurance Information Institute.

Insurance company SwissRe ranked 2020 as the fifth costliest year on record since 1970 for the insurance industry with global losses totaling $83 billion. The losses were driven by a record number of severe convective storms (thunderstorms with tornadoes, floods and hail) and wildfires in the United States. Those and other secondary events around the world accounted for 70 percent of the $76 billion of insured losses from natural catastrophes, the institute said.

In order to recapitalize after those losses, insurance companies have a few options that are not necessarily exclusive of each other. They can increase the premiums they charge customers, or they can raise the bar in terms of which entities they will insure.

“Insurance carriers have been affected by storms and claim payouts for their insureds, social inflation, and record setting verdicts,” Ryan Weber, vice president at Marsh USA, said. Pricing has increased the past 15 consecutive quarters, he noted.

The good news, Weber said, is that there were signs in the second quarter that the market could be adjusting in insureds’ favor for coverage lines such as property and liability. “Cyber liability pricing appears to be heading in the wrong direction, however, due to the severity and frequency of the recent cyber breaches in 2021,” Weber said.

The cyber ransomware attack on Colonial Pipeline in the U.S. earlier this year, as well as other ransomware attacks, has resulted in increased attention to the risk insurance market. Colonial Pipeline is the largest refined products pipeline in the United States, transporting more than 100 million gallons of fuel daily to meet the energy needs of consumers from Houston, Texas to the New York Harbor.

In May 2021, the Government Accountability Office (GAO) issued a report on cyber insurance. It said that key trends in the current market for cyber insurance include the following:

Meanwhile, in a recent podcast, CAC Specialty’s Adam Lantrip addressed the current cyber insurance market, recent ransomware events, and some tips for coordinating insurance and the technology and legal venders who assist companies in responding to attacks.

CAC Specialty is a specialty insurance brokerage firm.

“Where things are going is clients are going to have to demonstrate a much higher baseline level of security in order to qualify for coverage,” said Lantrip on the podcast. Lantrip is CAC’s senior vice president for professional liability and cyber practice leader.

A year and a half ago, “we could have taken just about any company into the marketplace with whatever their controls were and probably been able to get them a pretty good option from somebody in the insurance marketplace,” Lantrip said.

“Today, we’re seeing clients that we would objectively think are generally pretty good risks but they’re answering ‘no’ to one or two or three very specific questions about their security posture and those ‘no’ responses” are resulting in an automatic refusal “from a huge section of the marketplace.” When that happens, “the ability to get coverage starts to shrink.”

A robust cybersecurity insurance market could help reduce the number of successful cyberattacks by: (1) promoting the adoption of preventative measures in return for more coverage; and (2) encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection, notes the U.S Cybersecurity and Infrastructure Security Agency (CISA), which is part of the Department of Homeland Security.

“Many companies forego available policies, however, citing as rationales the perceived high cost of those policies, confusion about what they cover, and uncertainty that their organizations will suffer a cyberattack,” in recent years CISA says. CISA has engaged key stakeholders to address this emerging cyber risk area.

Since 2012, CISA has engaged academia, infrastructure owners and operators, insurers, chief information security officers (CISOs), risk managers, and others to find ways to expand the cybersecurity insurance market’s ability to address this emerging cyber risk area. More broadly, CISA has sought input from these same stakeholders on the market’s potential to encourage businesses to improve their cybersecurity in return for more coverage at more affordable rates. 

CISA is currently facilitating dialogue with CISOs, Chief Security Officers, and insurers about how a cyber incident data repository could foster both the identification of emerging cybersecurity best practices across sectors and the development of new cybersecurity insurance policies that “reward” businesses for adopting and enforcing those best practices.

In Part 2, tomorrow, we will explore some of the “best practices” utilities have undertaken to minimize their exposure to higher insurance rates.

APPA Resources

APPA has numerous member resources available to help risk managers.

Department of Energy Accelerates Release Of Cybersecurity Capability Maturity Model Update

July 21, 2021

by Paul Ciampoli
APPA News Director
July 21, 2021

The Department of Energy (DOE) this week released an update to the Cybersecurity Capability Maturity Model (C2M2), which was originally scheduled for release at the end of this year.

The American Public Power Association (APPA), along with a number of cyber experts from public power, rural electric cooperatives and investor-owned utilities, have been working with the DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) over the past two years to update the C2M2. 

Nathan Mitchell, Senior Director of Operations Programs at APPA, noted that this industry-led effort to update this voluntary cybersecurity model is in response to the continued attacks on information technology/operational technology cyber systems. “APPA wants to thank the public power representatives that have helped in this revision process,” he said.

“APPA recommends that public power utilities review the C2M2 V2.0, conduct a self-assessment of your cybersecurity program, and mitigate any risks you may find to prepare for and prevent cyber-attacks,” he said.

The new model was scheduled to be released at the end of 2021, but DOE-CESER and industry representatives agreed that accelerating the release of the new guidance and recommendations would help the electricity industry assess their cyber systems now.  

APPA also recommends that public power utility managers look at the Axio 360 for Public Power platform to help in tracking the progress of cybersecurity capability at their utility.  The C2M2 V2.0 is available on the Axio platform. Users can reach out to support@axio.com with any questions.

The testing and validation of the model is ongoing and DOE welcomes any feedback based on experience using the updated model.  Email DOE at C2M2@hq.doe.gov to share feedback and lessons learned.  If changes are needed to clarify any C2M2 V2.0 model recommendations, an update will be issued at the end of the year. 

The C2M2 V2.0 is available for download at: https://www.energy.gov/ceser/cybersecurity-capability-maturity-model-c2m2

Any questions or comments on cybersecurity can be directed to APPA’s Cyber Defense Community email address at: OTCyberDefense@publicpower.org

APPA, other groups urge DOE to incorporate foundational principles for supply chain security

June 22, 2021

by Paul Ciampoli
APPA News Director
June 22, 2021

As the Department of Energy (DOE) considers further action on energy sector supply chain security, any new measures must be risked-based, directives should be clear, prospective, and scalable, there should be a DOE focus on vendor risks and directives must be cost-conscious, the American Public Power Association (APPA), the Large Public Power Council (LPPC), National Rural Electric Cooperative Association (NRECA), and the Transmission Access Policy Study Group (TAPS) recently asserted.

The June 8 comments submitted by the four trade associations responded to a DOE Request for Information (RFI) seeking input from stakeholders to inform future recommendations for supply chain security in U.S. energy systems.

The RFI was issued on April 20 in conjunction with an announcement by DOE that it was revoking the “Prohibition Order Securing Critical Defense Facilities,” which took effect on January 16, 2021, and prohibited utilities that supply critical defense facilities from procuring  China specific bulk power system (BPS) equipment that pose an undue risk to the BPS, the security or resilience of critical infrastructure, the economy, national security, or safety and security of Americans.

The prohibition order was associated with Executive Order (EO) 13920, Securing the United States Bulk-Power System, which President Biden suspended for a 90-day review upon entering office in January. EO 13920 was briefly reinstated following the 90-day suspension, but the emergency declaration of the EO expired on May 1. 

Four foundational principles

In their joint comments, the four trade associations said that as a replacement for EO 13920 is considered, DOE should incorporate into its thinking four foundational principles as follows: 

New measures must be risk-based: The consideration of any new standards, measures, or prohibitions must be calibrated to reflect the risk of the related infrastructure or activity to the nation’s security or public health, APPA and the other groups commented.

The definition of Critical Electric Infrastructure in Section 215A of the Federal Power Act (“Critical Electric Infrastructure Security”) provides an important touchstone for prioritization of these efforts, specifying that “Critical Electric Infrastructure” means “a system or asset of the bulk power system, whether physical or virtual, the incapacity or destruction of which would negatively affect national security, economic security, public health or safety or any combination of such matters,” the groups said.

“Key elements of this definition focus attention on the bulk power system (as opposed to distribution systems), and on the impact that the incapacity of such system may have on national (not local) security, economics and public health or safety.”  

 Directives should be clear, prospective, and scalable: APPA, LPPC, NRECA and TAPS said that clarity in connection with any directives, with respect specifically to the facilities that are addressed, and the nature of any activity prescribed or prohibited, is critical. “Ambiguity can be costly and time consuming and ultimately undermine the effectiveness of the directive. Further, directives should be prospective only, and effective only once all definitions and required regulations are in place. Again, ambiguity as to whether the directive applies to infrastructure already in place, or to activities and contracting already underway, will be both costly and may adversely affect grid reliability. Finally, where possible, directives should be scalable, in recognition of widely varying size and capabilities of affected electric utilities.”          

 Directives must be cost-conscious: Closely related to the precept that any new measures must be calibrated to reflect varied risks, DOE must be mindful of the cost of any directives, the groups told DOE. “The cost of electric service is a key factor in the nation’s economic health, and the reality of varying, but finite resources and budgets suggests that over-spending on security measures may compromise grid reliability in other respects. This is especially important to consumer-owned, not-for-profit public power utilities and rural electric cooperatives, who are owned by the consumers they serve and must bear any new costs imposed by new requirements.“

DOE should focus on vendor risks: The groups said that the electric utility industry’s ability to influence the security measures undertaken by industry suppliers is limited, and particularly so for smaller utilities. Though vendors are outside the direct authority of the Federal Energy Regulatory Commission and the North American Electric Reliability Corporation, “DOE may use its influence to affect supplier practices by encouraging suppliers to adopt shared security practices, and to foster security certification upon which the industry can rely.”   

APPA, LPPC, NRECA, and TAPS also responded to a series of questions outlined in the RFI.

In conclusion, the Associations urged DOE “to directly engage with vendors that provide equipment to electric utilities to address any concerns the department may have about risks in the supply chain. The vendors are best suited to address such questions. Any new measures, directives, requirements, or prohibition authority that DOE chooses to pursue regarding electric infrastructure must be risk-informed, clear, prospective, and scalable, and take cost into account to avoid unintended consequences to grid security and reliability.”