Citing lapses in control of sensitive power system information, the Energy Department’s Office of Inspector General has ordered the Federal Energy Regulatory Commission to take immediate steps to protect national security information pertaining to the bulk power system, which in some cases includes hydroelectric facilities.
DOE Inspector General Gregory Friedman issued a management alert April 9 recommending immediate steps by FERC Acting Chairman Cheryl LaFleur. LaFleur, who, along with members of Congress, requested the inspector general’s review, committed to taking all needed action to strengthen the commission’s information security processes.
Friedman’s alert said his review was initiated in response to an alleged leak of modeling studies exposing certain power grid vulnerabilities and of non-public information relating to the investigation of an April 2013 attack on Pacific Gas & Electric Co.’s Metcalf Transmission Substation south of San Jose, Calif.
First treated as vandalism, the sniper attack a year ago on the Metcalf substation subsequently has been considered a possible test by terrorists of the vulnerability of the bulk power system. PG&E announced April 10 it is offering a $250,000 reward for information leading to conviction of the perpetrators, who caused extensive damage to the substation. The utility also is investing $100 million in the next three years on substation security.
Investigation of the alleged leak of FERC modeling studies exposing power grid vulnerabilities is the result of an article published in March by the Wall Street Journal that included some details of such FERC modeling. In testimony April 10 to the Senate Energy Committee, LaFleur condemned the newspaper’s action.
“While there may be value in a general discussion of the steps we take to keep the grid safe, the publication of sensitive material about the grid crosses the line from transparency to irresponsibility, and gives those who would do us harm a roadmap to achieve malicious designs,” LaFleur told the committee.
Friedman said his department confirmed at least one electric grid-related presentation created by FERC staff should have been classified and protected from release at the time it was created. He said it had been determined the presentation had been viewed and handled by commission staff who might not have had security clearances, had been maintained on portable electronic equipment and transmitted via insecure means, and might have been provided to both federal and industry officials in unclassified settings.
“We are especially concerned with reports that the document was not properly classified and may currently be stored on unclassified commission servers, as well as on current and former commission employees’ desktop computers, laptops, portable electronic devices and copiers,” the inspector general said. “These are the main reasons for the urgency of this management alert.”
The inspector general directed FERC to move immediately to protect the information in question, to seek assistance from appropriate agencies to ensure such information is properly classified, to apprise all handlers of such material of their duty to protect it, and to segregate and secure all classified information it might discover.
FERC issued an order March 7 directing the North American Reliability Corp. to develop reliability standards requiring owners and operators of the bulk power system to address risks due to physical security threats and vulnerabilities. The order, No. RD14-6, requires physical security for the facilities most critical to reliable operation of the bulk power system.
FERC also issued a proposed rule last year to update Critical Infrastructure Protection Reliability Standards by expanding cyber security standards for the bulk electricity system. In January, FERC issued proposed reliability standards intended to mitigate effects of geomagnetic disturbances on the power system.