NEWS AND INSIGHTS

Colette Honorable is leaving the Federal Energy Regulatory Commission tomorrow, at the end of her term.  While some Commissioners stay on beyond their five-year term until his or her position is filled, that is not the case here. Based on my scan of her Twitter feed (and she’s quite the Tweeter!) Commissioner Honorable hasn’t announced plans for the future.  That leaves the FERC with one sitting Commissioner and a significant backlog of cases to handle. Yesterday, Senator Lisa Murkowski, chairwoman of the Committee on Energy and Natural Resources, issued a statement, which in relevant part said:

“Commissioner Honorable has served with distinction. While I did not agree with her on every issue, she has been an outstanding regulator, and I wish her and her family well. Although I understand and respect Commissioner Honorable’s decision to step down this week, her departure again underscores the urgent need to re-establish a quorum at FERC.

FERC’s work is increasingly important. Getting the agency back to the normal course of business remains a top priority for me. I will continue to push for a confirmation vote for Neil Chatterjee and Robert Powelson, who were favorably reported by the Energy and Natural Resources Committee earlier this month on a strong bipartisan basis. Even with Commissioner Honorable’s departure, FERC will be able to get back to work on the day these qualified nominees are confirmed. I hope my colleagues among the Senate minority will join us in enabling a quick vote for Mr. Chatterjee and Mr. Powelson.”

So, hopefully, help is on the way soon.  Powelson and Chatterjee have been sitting on the Senate’s Executive Calendar for approving nominees (along with 26 other nominees dating back to mid-May).  Senate confirmation of these two Republicans is not expected to be contentious.   

After Commissioner Honorable announced her departure, Senate Democrats began to float the name of Richard Glick as her replacement.  Mr. Glick, serves as Democratic General Counsel of the Senate Energy and Natural Resource Committee.  So, like Chatterjee, he is a known commodity on the Hill.  Beyond his work on the Hill, Mr. Glick’s resume includes a long stint with Iberdrola Resources, as a policy adviser to Energy Secretary Bill Richardson under the Clinton administration, and as a legislative director and chief counsel to Senator Dale Bumpers.   Given these bona fides, Mr. Glick should be able to navigate a position at FERC quite well.

Reports on AP News this morning suggest that President Trump is going to appoint Mr. Glick in the near future. No official news yet, and there would certainly be a further waiting period until hearings are scheduled or confirmation (recognizing that the Senate has very few work days in session between now and Labor Day). 

Assuming all the above happens, that still leaves the fifth seat to be filled, which would be more important now given that a Commission of LaFleur, Glick, Powelson and Chatterjee would be a 2 Democrat/2 Republican Commission.  The final appointee could be the one that is going to be the new permanent Chairman. I personally would not be surprised if Mr. Glick was paired up with the final appointee for confirmation hearings. 

This week brought another global ransomware scare, dubbed “ExPetr” and/or “Petya”, similar to the “WannaCry” attack a few weeks ago.  By most accounts, the U.S. energy industry was largely unaffected by this round of worm-based ransomware intrusions.   There are important lessons to be learned that tie directly back to the NERC CIP Reliability Standards though, so I thought I’d provide a quick insight on it for those that do not regularly participate in NERC compliance activities.

So, in a nutshell, what’s going on?  ExPetr/Petya used a hacking tool called EternalBlue, allegedly developed by the National Security Agency, to exploit Microsoft Windows and lock up computer systems until a ransom of $300 in untraceable Bitcoin is paid.  Of course, paying the ransom is no guarantee that your system will be unlocked.  Based on the reports so far, ExPetr/Petya was allegedly introduced through a Ukrainian company called MeDoc, a legitimate financial tech company which sent out an update on June 22 to its tax preparation software to its customers with the malware embedded in it.  Once it was released, it spread through Ukraine and Russia, and then globally, including to U.S. companies like Merck and the law firm of DLA Piper. 

Unlike less sophisticated clickbait malware, which usually requires a user to enable the worm through accessing a malicious website link, this is a patch/configuration based hack that will happen when the update is added.  Microsoft released a patch for this vulnerability months ago that would close the Windows entry point, but if your IT department is not updating Windows religiously, or allows users with their own updated equipment to access computer networks, the worm can gain access and once there, spread like a wildfire.  And when you deal with hundreds or thousands of connected devices, it the odds are against you that one will slip through the cracks and not be updated. 

That brings me back to the CIP Reliability Standards.  First and foremost, CIP Reliability Standards only apply to a subset of computer systems in the electric utility industry: those systems designated as Bulk Electric System (“BES”) Cyber Systems.  Among other responsibilities, the suite of CIP Reliability Standards are designed to require entities to configure such BES Cyber Systems in a manner that (1) eliminates access through ports or other entry points to critical systems to operate the grid, (2) reduces the number of software applications on such critical systems, (3) reduces the number of users with physical or electronic access to the systems, and perhaps most relevant in this context, (4) requires regular updating of systems through detailed patch management processes, including a process to evaluate patches to ensure they come from a reputable source, that the patch works as intended in a test environment, and that the patch is installed correctly and promptly. 

Would application of the CIP Reliability Standards to all computers and associated systems (not only BES Cyber Systems) have stopped this worm?  The answer is probably, and it did seem to serve its designed purpose as to the BES Cyber Systems.  First, regular patching of Windows would have closed the vulnerability exploited by ExPetr/Petya had it been done promptly.  The patch was released by Microsoft in mid-March.  A typical CIP-based patching protocol would have permitted the entity to have approximately 30 days to locate and find a patch, another 30 days to test it in a safe non-production environment, and then another 30 days to verify and install the patch.  The full 90 days envisioned here would get you to about mid-June, so it might have been completed just in the nick of time. 

Second, a typical CIP-based patching process would also require testing, as noted above, so test installation of the MeDoc accounting patch in a safe environment may have resulted in a lock-up situation and alerted the IT user to take further action before installing it in a production environment that could affect all interconnected systems.  CIP standards require that users validate a source for patching; here it was the software company itself that released the patch; that would typically be a reputable and acceptable source.  That’s a bit scary.

Third, the CIP Reliability Standards would have likely declared an application such as an accounting/tax software as not necessary to be on a system that could affect the reliability of the BES.  By limiting and isolating the BES Cyber Systems, it protects against malicious attacks such as worms entering important systems.  Conversely, it does nothing to protect against attacks on the rest of a company’s IT, which can bring normal business operations to a grinding halt, as it did to several companies this week.

The CIP Reliability Standards are all about a “defense in depth” approach to protect our critical energy infrastructure.   There are important lessons to be learned here that validate the NERC’s program and the importance CIP Reliability Standards.   

Finally, I note that FERC had a technical conference on June 22, touching on further revisions to the reliability standards enforcement program as it nears its 10^th anniversary of mandatory applicability.   The archived stream of the conference can be viewed here for the next 3 months. 

On June 15^th, FERC Office of Electric Reliability and Office of Enforcement issued its Summer 2017 Energy Market and Reliability Assessment.  A copy of the report can be found here.

Here are a few takeaways from the report:

• Capacity levels are expected to be adequate this summer.  Load forecasts and generation forecasts are essentially on par, with large amounts of new renewable resources offsetting the 4 GW of coal-fired and 6 GW of natural gas-fired plants that have been retired.  The narrowest reserve margins are in ISO New England (15%) and ERCOT (15%) but each is still at or above its reference margin level.
• The National Oceanic Atmospheric Administration (NOAA) forecast above normal conditions this summer in the U.S., with the North Atlantic, Southeast and Gulf of Mexico regions holding the strongest possibility for a hot summer.
• Natural gas prices have risen year over year, and a year in which natural gas generation exceeded coal-fired generation for the first time (2016).  Both coal and natural gas prices have risen from their recent five-year lows, and summer 2017 futures contracts of natural gas were trading at a $0.43/MMBtu premium to coal.  Natural gas futures continue to rise, ranging from a $0.38/MMBtu to $0.88/MMBtu regional increase from the prior summer.
• Overall summer power futures have increased in the range of 9-11 percent, with the sole exception being the PJM Western hub, which has decreased 3 percent.
• FERC continues to monitor changes and impacts resulting from increased demand response, the Aliso Canyon, and the upcoming August 21 solar eclipse.

On June 9^th, FERC and NERC issued a Joint Study Report on Planning Restoration Absent SCADA or EMS (PRASE).  A copy of the 44 page report can be found here: 

As the title suggests, this report assesses and makes practical recommendations regarding practices, procedures and methodologies aimed to expedite system restoration during a loss of SCADA or EMS functionality.  This includes approaches to system monitoring without SCADA or EMS tools, planning to support system restoration under such conditions, and incorporating these measures and approaches into system restoration training.  Five key recommendations are provided in the Joint Report (and summarized by me below):

1. Entities should have backup communications measures and train on them to ensure that entities are capable, available, and reliable for the increased use expected during system restoration without SCADA functionality.   

2. Entities should review, refine and train their personnel resources needed to support the field and control room personnel necessary for system restoration absent SCADA, with an emphasis on deploying personnel to acquire data and logistical support such as food, shelter, and transportation for such personnel. 

3. Entities should review and refine backup power supply plans to ensure they extend beyond the normal backup battery timeframes.

4. Entities should maintain analysis tools for throughout the system restoration effort and train on the use of the tools.

5. Entities should expressly train on system restoration while incorporating more stressful situations involving loss of SCADA or EMS scenarios or loss of other data sources.

FERC took a significant step this morning to returning its quorum.  Neil Chatterjee and Robert Powelson each passed the Senate Energy and Natural Resources Committee by a 20-3 vote margin, demonstrating significant bipartisan support for each candidate.  Ron Wyden (OR) and Bernie Sanders (VT) both voted against the nominations (the third nay was inaudible to me).   Both FERC Commissioner prospects passed with significantly wider bipartisan support than the DOE appointees that were also on the Committee’s slate.

Next up: Placement on the Executive Calendar for full Senate vote, then off to the President’s desk.  I would expect that these final steps will move fairly rapidly, and we may be back to a functional FERC by the end of the month.

Pappy O’Daniel: And furthermore, by way of endorsing my candidacy, the Soggy Bottom Boys are gonna lead us all in a rousing chorus of “You Are My Sunshine.”

Pappy O’Daniel:  Ain’t you, boys?

Ulysses Everett McGill: Governor, it’s one of our favorites.

Pappy O’Daniel: Son… you’re gonna go far.

 After what most, including yours truly, would characterize as a lackluster confirmation hearing before the Senate Energy and Natural Resources Committee on Thursday, it appears FERC is on track to gain two new Commissioners in the coming weeks.  An affirmative vote will return the quorum that is required for the Commission to act on substantive matters, and perhaps beginning the process of implementing a shift in certain high profile policy areas.  FERC has been acting without a quorum since February.  It has cancelled regular monthly scheduled Sunshine Act public meeting and has not been issuing orders that are the result of notational vote between open meetings.  Various parts of the FERC Staff have kept the agency afloat in certain areas, acting through delegated authority.  Even that action, however, has been subject to legal challenge.     

So, when Neil Chatterjee, a Congress policy wonk and former lobbyist that was sponsored by Senator Mitch McConnell, and Ronald Powelson, the chairman of the Pennsylvania Public Utilities Commission and current National Association of Regulatory Utility Commissioners president sponsored by Senator Patrick Toomey met the questions from the dais, what happened?  The short answer is that they both did a notably good job of demonstrating knowledge of key issues that FERC has or is considering, and a willingness to work toward consensus to carry forward work to address them.  Both Chatterjee and Powelson showed that they had done their homework and were familiar with key issues.  Topics including climate change, integration of renewables into the traditional power supply mix, development of markets, approval of infrastructure projects were all discussed.  In my view, no extreme views were expressed.  We do not seem to have climate change deniers, for example.  We seem to have polished experts that know the industry and the issues, and Commissioners that can hit the ground running on day one.

It is very important for the energy industry that FERC regain its ability to stand on the authority vested in the Commission.  I expect Senator Murkowski will get these two nominees up for a confirmation vote quickly, perhaps as early as next week.  From there, the Commission will stand at four of the five members, but only for a short period.  Commissioner Honorable’s term will expire in June, and she has already declared she is leaving.  That will leave a 3-out-of-5 person Commission with Current Chairwoman LaFleur, as the sole Democrat.  LaFleur by all accounts likes and wants to stay on the Commission (her term runs through 2019) even if demoted a second time from being the Chairwoman.  That leaves one Democratic and one Republican slot to be filled to return the Commission to full capacity.  The Trump administration has been vetting energy law pro Ken McIntyre of Jones Day as the third Republican, and I would speculate that no Democrat is in the works for slot #5 as partial payback for President Obama leaving two Republican seats on the Commission open since Phil Moeller left in the fall of 2015 and Tony Clark left in the fall of 2016.  Paybacks are….well, part of politics.

I am excited that we have two very good Commissioners in the works and for the prospect of promptly getting get back to the regular flow of business before FERC.

CWS