25. FERC and Cybersecurity: It's Complicated - Carol Holahan
Carol Holahan, counsel in Foley Hoag’s Energy & Cleantech practice, was a guest on The POWER Podcast. Holahan advises large regional generators and other participants in the wholesale and retail competitive electricity markets on policy initiatives, changing environmental regulations, decommissioning and sale of plants, and matters pending before the Federal Energy Regulatory Commission (FERC). During her interview, Holahan explained some of the differences between natural gas pipeline and bulk power system cybersecurity requirements. Currently, the Transportation Security Administration (TSA) is responsible for oversight of the gas pipeline system. Holahan said the U.S. system comprises a 2.7 million-mile network. Yet, according to a letter written by two FERC commissioners last year, TSA has only six employees dedicated to pipeline oversight. Furthermore, TSA has no mandatory compliance or reporting requirements, and relies on companies basically self-reporting, especially with respect to cybersecurity events. Oversight of the U.S. bulk power system is markedly different. It is mandatory and quite complicated, with FERC, the North American Electric Reliability Corp. (NERC), the Department of Homeland Security, and the Department of Energy (DOE) all involved in some aspect of oversight. The disparity between the requirements for gas and electric infrastructure, combined with a computer hacking event last year that affected multiple pipeline companies, led two FERC commissioners—one Democrat and one Republican—to write a joint letter urging the transfer of gas pipeline oversight to the DOE. To date, changes in the oversight structure are still being debated in Washington with no clear resolution in sight. While cybersecurity is easy to neglect, Holahan said a recent $10 million fine issued by NERC against an unnamed power company for alleged cybersecurity violations sent a very clear message to all U.S. utilities subject to NERC requirements: “If you had not been paying attention to cybersecurity to date, you better start.” Holahan touched on the changing landscape of power generation. She noted that Brayton Point—the last big coal-fired power plant in New England—was retired last year and Pilgrim nuclear plant will be shuttered this year, removing hundreds of MW from the grid. What’s coming online is new gas, solar, and wind generation, including the promise of more offshore wind. Pairing battery storage with renewables is allowing intermittent resources to participate in the market as baseload power. While noting that FERC has traditionally operated above the political fray, Holahan said there is some concern that the DOE will continue to exert pressure on the agency to provide relief for certain types of units, especially coal-fired plants. Furthermore, Holahan thinks it will be interesting to see how FERC responds to various state policies that support certain resources, such as nuclear and renewables. “I think it will be well worth watching what models FERC is going to approve that will allow these resources to participate without compromising price formation or market entry and exit signals.” she said.