9. ELECTRICITY
The Fourth National Climate Assessment report issued by the federal government estimates that the frequency and duration of wildfires will increase significantly in the coming decades, posing particular risks for Western utilities and power supplies, and requiring increased risk mitigation and response strategies (USGCRP, 2018).
Cyberthreats
There has been significant growth in instrumentation and automation at the level of the high-voltage, or bulk power, system. This allows the electricity system to operate more efficiently and provides system operators with much better situational awareness; this can improve grid reliability and resilience in the face of outages, but the added complexity can also introduce cybersecurity vulnerabilities.
As a result, the Energy Independence and Security Act of 2007 directed FERC and the National Institute of Standards and Technology to develop smart grid standards based on concerns about cyberattacks stemming from the growth of smart grids.
The vulnerability of the US power grid to cyberattacks has gained more salience following evidence of a targeted cyberattack by Russia that began in March 2016 using third-party vendors to infiltrate the US electricity system. Moreover, a core rationale for the DOE push to value coal and nuclear capacity based on their fuel security attributes was the risk of cyberattacks on natural gas pipelines that could result in supply disruptions to gas generators. As the electricity system moves towards more digitalisation, the threats of cyberattacks will become even more pronounced.
In response to the May 2017 White House Cybersecurity Executive Order, the Department of Homeland Security and the DOE released an assessment of cyber-risks to the US electricity system. The report, which is a first step led by the DHS and DOE to manage cyber-risks, identified six gaps in the nation’s capabilities to prevent and respond to cyberattacks: 1) cyber-situational awareness and incident impact analysis; 2) roles and responsibilities under cyber-response frameworks; 3) cybersecurity integration into state energy assurance planning; 4) electricity cybersecurity workforce and expertise; 5) supply chain and trusted partners; and 6) public-private cybersecurity information sharing.
FERC is tasked with developing cybersecurity standards for the bulk electricity system, while the Department of Homeland Security’s Transportation Safety Administration is tasked with overseeing threats, including from cyberattacks, to the nation’s pipelines. Under FERC’s direction, NERC developed CIP cybersecurity reliability standards that went into effect in 2008. In 2018, FERC further directed NERC though Order 848 to develop modifications to the CIP reliability standards to update reporting of cyberincidents, moving beyond just a requirement to report incidents that have compromised reliability to those that could pose a future threat to the system.
Emergency response
In the United States, government agencies at all levels and across multiple disciplines are involved in emergency response efforts. Primarily, in most emergencies, the federal government’s role is centred on co-ordination and communication among the various stakeholders.
Electric utilities, in this regard, play a crucial role, as they are responsible for repairing damage to infrastructure and restoring services to customers (EEI, 2016). Power
207
ENERGY SECURITY
IEA. All rights reserved.
9. ELECTRICITY
providers conduct year-round planning and preparation, including exercises and drills, for various types of emergencies, including weather and cyberand physical attacks on infrastructure.
However, in severe emergencies, the government also provides logistical support, including equipment, skilled repair staff, damage assessment expertise and security forces. The most extreme type of event is classified as a National Response Event, which can be either a natural (such as a hurricane or earthquake) or human-caused disaster (such as an act of war or terrorist attack), and requires a multiregional response that is led by the federal government (DOE, 2019).
The United States has a sophisticated threat assessment network that gathers and disseminates information to relevant stakeholders even before an event takes place. Government agencies that participate in this type of risk assessment include the National Weather Service, the US Army Corps of Engineers, the US Department of Homeland Security and the DOE. Industry organisations such as Edison Electric Institute, the American Public Power Association and the National Association of Regulatory Utility Commissioners also help share information.
Power providers are responsible for reporting significant events to the DOE, NERC and their respective regional organisations. The DOE requires utilities that serve as balancing authorities or ISOs/RTOs to report incidents. ISOs/RTOs, balancing authorities and generators also need to file incident reports to NERC (California ISO, 2018).
During and after an emergency incident, power companies take the lead in restoring services to customers, often prioritising service to critical emergency facilities such as hospitals before restoring wider service. It is standard practice in the United States for utilities to provide aid and assistance to one another during emergencies, in a process known as mutual assistance (NARUC, 2015). In this capacity, utilities can share emergency response personnel and services, thereby saving costs. Should a largerimpact incident require a broader co-ordination effort, the power system relies on regional mutual assistance groups (RMAGs). Though state public utility commissions are not responsible for emergency response, they do oversee utilities’ cost recovery mechanisms and their approval is, therefore, required to activate mutual assistance.
In September 2014, FERC and NERC, along with the eight regional reliability entities, undertook a joint review to assess the restoration and recovery plans of the regional entities after a blackout or major outage (NERC, 2017a). Those policies include restoration plans approved by reliability co-ordinators, procedures for deploying blackstart resources, steady state and dynamic simulations testing the effectiveness of the plans, and cybersecurity incident response and recovery plans for critical cyber-assets. The report’s overall estimation was that the entities’ plans are sufficiently detailed and thorough. Periodic assessments to reflect changing conditions in the energy and electricity space will ensure appropriate changes to response policies over time.
The DOE role
The US government conducts emergency responses based on the National Response Framework, which identifies various Emergency Support Functions (DOE, 2018). The DOE is designated as the lead department co-ordinating efforts for the energy sector under this construct, which is primarily tasked with maintaining and restoring energy supplies in the event of a national emergency. In this capacity, the DOE must facilitate the restoration of energy services in cases where a federal response is required, collect
208
IEA. All rights reserved.