20140502-city-grid-nightThrough the Energy Policy Act of 2005, Congress formed a hybrid system for setting electric grid reliability and security standards; a private corporation, the North American Electric Reliability Corporation (NERC), writes grid standards, while a government agency, the Federal Energy Regulatory Commission (FERC) reviews and approves NERC’s standards.

FERC and NERC appear to have a close working relationship in jointly developing grid standards. During an April 10, 2014 Senate Energy Committee hearing “Keeping The Lights On—Are We Doing Enough To Ensure The Reliability And Security Of The U.S. Electric Grid?” both Cheryl LaFleur, Acting Chair of FERC, and Gerry Cauley, CEO of NERC characterized the hybrid system as working well.

Mr. Cauley testified, “I think the model is working really well. It’s almost necessary because it’s such a complex electric grid… I think we have the best of the public interest being represented and government oversight with the expertise and full understanding of how the grid works from industry.”

Other observers might characterize the FERC-NERC relationship as a closed system where the public interest is given short shrift. For example, while NERC has authored and FERC has approved “in the public interest” five sets of cybersecurity standards over seven years, specific cybersecurity requirements of law remain unaddressed. The NERC drafting team did not include a provision in the most recent standards that would have satisfied The Energy Policy Act of 2005’s mandate for protection of “communications networks” against “cybersecurity incidents.” FERC has given NERC yet another year to address this requirement and while electric grid communication networks remain unsecured, foreign hackers have penetrated the U.S. electric grid.

Also of concern are exemptions, specifically of generation plants and major control centers, from recently passed standards for both physical security (see NERC Standard CIP-014-1 — Physical Security) and operating procedures to protect against solar storms (see NERC Standard EOP-010-1 — Geomagnetic Disturbance Operations).

On one hand, FERC and NERC leadership says the hybrid regulatory system is working well. On the other hand, evidence suggests that FERC has been complicit in NERC’s setting of delayed and inadequate cybersecurity, physical protection, and solar storm protection standards.

Is the current NERC-FERC hybrid system for setting electric grid reliability and security in the best interest of the public? What are the costs and benefits of the current relationship?