Cybersecurity Standards for Electric Grid Seen Expanding

The U.S. Federal Energy Regulatory Commission proposed to revise its cybersecurity standards for the nation’s electric grid, expanding the rules to more than 60 additional companies.

The agency today voted to start the process for updating the existing critical infrastructure protection standards. The revisions are aimed at enhancing the “security posture” of companies that link to the grid, according to a FERC statement.

Cybersecurity is becoming a critical issue for electric utilities as components such as generators, power meters and appliances are interconnected using the Internet. White House National Security Adviser Thomas Donilon said in a March 11 speech that the U.S. is concerned about “cyber intrusions emanating from China at a very large scale.”

The standards proposed by the FERC will cover at least 61 companies in addition to about 1,100 subject to current rules, agency staff said after a commission meeting. The names of the additional companies aren’t public.

The North American Electric Reliability Corp., an Atlanta-based organization that develops standards for utilities, submitted the revisions to FERC in January, according to the agency. The proposal includes cybersecurity controls for systems including electronic perimeters, and it reorganizes how the electric grid’s components are classified to apply the standards more comprehensively.

Officials from the Edison Electric Institute, a Washington-based industry group for publicly traded utilities including Duke Energy Corp. of Charlotte, North Carolina, and Exelon Corp. of Chicago, weren’t immediately available for comment. EEI will issue a statement later today, spokeswoman April Umminger said.

While the proposed standards are a “significant improvement” over those in place, the agency wants to make sure that the language in the revisions is clear and that they are enforceable, Commissioner Cheryl LaFleur said.

The FERC said it will seek public comment to resolve these concerns. Comments are due within 60 days after the proposed rule is published in the Federal Register.

Before it's here, it's on the Bloomberg Terminal.