Congressman targets utility security clearances for new legislation
Rep. Jerry McNerney, D-Calif., said he will work with Florida Power & Light (FP&L) to address the dearth of security clearances for utility employers as his office considers possible legislative solutions.
After speaking a cybersecurity event Friday, McNerney told reporters that increasing utility access to sensitive information is a priority for him. While he did not address potential legislative solutions being considered, cyber-security experts and federal regulators discussed various efforts to declassify information throughout their presentations.
Other experts, including National Institute of Standards and Technology (NIST) senior security engineer Jim McCarthy highlighted the need for "a concerted push" on the federal level to prioritize cybersecurity. Congress has had bipartisan support in recent years to pass cybersecurity and grid infrastructure legislation, but efforts were repeatedly scuttled on the House floor.
Security clearances require time and resources to obtain, but utilities need to access and share sensitive information in order to protect critical technologies and systems.
GridEx IV, the biennial grid security simulation that took place in November 2017, identified the small number of security clearances among utility personnel as a barrier to utilities responding effectively in a security emergency.
"Government should plan to quickly declassify information that utilities need to prevent or respond to attacks," the report stated among its recommendations.
McNerney commented on the importance of giving utilities secure access to information, "without worry about proprietary data" or exposure to the Freedom of Information Act. In a hallway interview with reporters, the congressman said he learned of the issue in a forum on Thursday from FP&L president and CEO Eric Silagy.
McNerney has introduced grid security measures that recently passed the House and co-founded the bipartisan Grid Innovation Caucus in 2017. McNerney said he will work with FP&L, and more generally with utilities, to "see if there's anything we can do" regarding the communication that's being stymied by a lack of security clearances.
"We need to figure out a way so they can share information and both sides feel comfortable that we're not compromised," McNerney said.
FP&L did not immediately respond to requests for comment or Silagy's remarks.
There are multiple ways to address the challenge posed by the backlog of security clearances, Bill Lawrence, director of the Electricity Information Sharing and Analysis Center (E-ISAC), told the Friday forum hosted by the Lexington Institute.
Within E-ISAC, security clearances are applied to "work with the government partners to try and get things down below the tier line and unclassified," in order for industry analysts to have access to it, Lawrence said. They need access to apply the sensitive information, since they're the ones who are going to take the action.
"It's still sensitive information so we protect it when we share it with the organizations, but we can spread that throughout all of our stakeholders," Lawrence told Utility Dive.
One of E-ISAC’s programs is focused on facilitating a cybersecurity information exchange between federal, regulatory and industry stakeholders. Cybersecurity Risk Information Sharing Program (CRISP) is based on technology deployed by the Department of Energy (DOE) more than a decade ago. It is subscription based, allowing North American utilities to voluntarily join and help "identify threats across the sector," according to NERC.
While the lack of security clearances may be addressed more quickly through declassification, the cybersecurity and utilities industries have called for grid modernization and reform. Many speakers applauded the recent DOE cybersecurity efforts in their remarks, but also asked for more federal funding.
"It is hard for me to imagine that we can fully address the [security] problem without the modern equivalent of the Rural Electrification Act," NIST's McCarthy said in his remarks at Friday's event, referencing the 1936 law that created a federal loan program to build critical rural grid infrastructure.
CORRECTION: An earlier version of this story incorrectly identified whom McNerney heard speak at a recent forum from FP&L. It was Eric Silagy, president and CEO of FP&L.