Cybersecurity and Other Important Updates Delia Patterson SVP

Cybersecurity and Other Important Updates Delia Patterson SVP, Advocacy & Communications and General Counsel American Public Power Association MEPAV Annual Conference May 22 -24, 2019 Virginia Beach, VA 1 • #Public. Power www. Public. Power. org

American Public Power Association’s Cybersecurity Services 2 • #Public. Power www. Public. Power. org

Cyber & Physical Preparedness • Help members develop “all-hazards” approach to disaster preparation and response • Show federal policymakers public power’s commitment to security and mutual aid • Strengthen government/industry partnerships • Minimize new federal regulation #Public. Power www. Public. Power. org

DHS Open Source Alerts: HIDDEN COBRA – North Korean Malicious Cyber Activity • August 9, 2018: North Korean Trojan: KEYMARBLE • December 21, 2017: North Korean Trojan: BANKSHOT • June 14, 2018: North Korean Trojan: TYPEFRAME • November 14, 2017: North Korean Remote Admin Tool: FALLCHILL • May 29, 2018: HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm • November 14, 2017: North Korean Trojan: Volgmer • May 29, 2018: HIDDEN COBRA RAT/Worm • March 28, 2018: North Korean Trojan: SHARPKNOT • February 13, 2018: North Korean Trojan: HARDRAIN • February 13, 2018: North Korean Trojan: BADCALL 4 • #Public. Power www. Public. Power. org • August 23, 2017: Analysis of Delta Charlie Attack Malware • June 13, 2017: HIDDEN COBRA – North Korea’s DDo. S Botnet Infrastructure • May 12, 2017: Wanna. Cry Ransomware (300, 000 computers affected)

DOE Cooperative Agreement Overview • In 2016 APPA partnered with the Department of Energy • 3 -year, $7. 5 M Cooperative Agreement • 2016 -17 – Analysis and Data Collection • 2017 -18 – Deployment and Resource Development • 2018 -19 – Sustainability 5 • #Public. Power www. Public. Power. org Acknowledgment: These activities are based upon work supported by the Department of Energy under Award Number DE-OE 0000811

DOE Cooperative Agreement Overview Goal: Develop a culture of cyber security within public power utilities Objective: • Engage with public power distribution utilities to understand their cyber security awareness, capabilities and risks • Move each utility from its existing state to a public power target profile Tasks: 1. Cybersecurity risk assessments (Cybersecurity Scorecard) 2. Onsite cyber vulnerability assessments 3. Pilot existing and emerging security technologies 4. Information sharing between utilities and APPA, E-ISAC, MS-ISAC, other partners 6 • #Public. Power www. Public. Power. org Acknowledgment: These activities are based upon work supported by the Department of Energy under Award Number DE-OE 0000811

Cybersecurity Risk Assessments: Cybersecurity Scorecard • Used existing cybersecurity models to inform a product that is useable by all public power utilities • Developed a self-assessment tool called the public power Cybersecurity Scorecard • Usable by small to mid-sized public power utilities to start evaluating their cybersecurity program • Also scalable so all public power utilities will find it useful 7 • #Public. Power www. Public. Power. org Acknowledgment: These activities are based upon work supported by the Department of Energy under Award Number DE-OE 0000811

Scorecard results will populate your dashboard Results breakdown by domain Improvement recommendations based on scorecard responses #Public. Power www. Public. Power. org 8

Scorecard Activity • 225 public power utilities participating o (2019 Goal is to reach 400 utilities) • 445 foundational cybersecurity self assessments at the 225 utilities o (14 Questions – 45 minutes) • All public power utilities have FREE access to the Scorecard portal • Utilities who have taken the assessment have reported that the Scorecard is helping to “take the guesswork out of what they should be striving to achieve” 9 • #Public. Power www. Public. Power. org

Cybersecurity Scorecard Users Pink indicates states without any target medium/large utilities. WHEN # OF UTILITIES 2018 year end 182 2019 Q 1 43 TOTAL TO DATE 225 TARGET FOR 2019 400

Cybersecurity Roadmap • Using the Scorecard output, provide public power utilities with clear actions to improve their cybersecurity program • Provide information that creates a compelling business case for security investments 11 • #Public. Power www. Public. Power. org

Incident Response Playbook • Modeled after mutual aid response network • Exercising the playbook to be prepared • Cyber Mutual Assistance (CMA) – national program o Utilities sharing cyber resources and expertise in a crisis Acknowledgment: These activities are based upon work supported by the 12 • #Public. Power www. Public. Power. org Department of Energy under Award Number DE-OE 0000811

Onsite Vulnerability Assessments • Conducting Onsite Vulnerability Assessments o 27 utilities have requested onsite vulnerability assessments o 8 assessments are currently underway with current contractor o Additional assessments will be scheduled and utilize a newly developed tool suite using open source free resources o Creating a methodology to determine the readiness of utilities to deploy technology to monitor the cyber health of their systems 13 • #Public. Power www. Public. Power. org

Cybersecurity Technology Assistance Program • After completing the Scorecard, utilities may be ready to reduce risk by investing in cybersecurity technologies from managed security service providers or other vendors • The Association’s new Cybersecurity Technology Assistance Program (CTAP) can support that investment first by connecting public power utilities to cybersecurity technology solution providers • Next, the Association can contribute partial funding through our cooperative agreement with the Department of Energy to qualified utilities • Interested utilities should contact us at: cybersecurity@publicpower. org 14 • #Public. Power www. Public. Power. org

Cybersecurity Training • Signing up JAAs to be host sites for training • Cybersecurity@publicpower. org • Deliver low cost cybersecurity training and exercises that align with the Scorecard • Conduct regional facilitated workshops (JAA/State Association sites) • Hosting a year end public power Cybersecurity Summit (November 18 -20, 2019 Nashville TN) 15 • #Public. Power www. Public. Power. org

Secure Information Sharing • We continue to recommend the E-ISAC as the trusted source of public power utility’s ICS threat information • Sign up for the E-ISAC at www. eisac. com • Multi-State – Information Sharing Analysis Center (MS-ISAC) is another option for public power. Focused on corporate network cybersecurity, they provide many free services to state and local government IT professionals • Sign up for the MS-ISAC at www. cisecurity. org • Developing a program for Shared Cybersecurity Services o Joint Action Agency model as a framework to possibly provide a shared cyber analyst o Mature organizations mentoring others o Concise threat feed in our Secure Trusted Community (STC) network Acknowledgment: These activities are based upon work supported by the 16 • #Public. Power www. Public. Power. org Department of Energy under Award Number DE-OE 0000811.

Cyber Asset Tracking Tool • Developing a Cyber Asset Tracking system to provide public power utilities with an online tool for: o Cyber Asset Inventory o Configuration Baseline o Vulnerability and Threat Management o Cyber Event Logging o Supply Chain Tracking 17 • #Public. Power www. Public. Power. org

Other Cybersecurity Resources You can find published material on our website at: www. publicpower. org/gridsecurity • • • Cybersecurity Information Engagement Plan Cybersecurity Information Sharing Report Cybersecurity Essentials: A Public Power Primer Managed Cybersecurity Service Providers Guide Physical Security Essentials Cybersecurity Awareness Videos 18 • #Public. Power www. Public. Power. org

Future Sustainability Model • APPA will continue to provide the platform to conduct cybersecurity self assessments • APPA will encourage members to mature their cybersecurity program over time to fill the gaps identified in the self assessments • Partner with Joint Action Agencies, Regional Agencies and State Associations across the country to provide services and resources to help utilities sustain their cybersecurity program 19 • #Public. Power www. Public. Power. org

Environmental Protection Agency (EPA) 20 • #Public. Power www. Public. Power. org

Federal Regulations on Greenhouse Gas Emissions • October 2015: EPA published the Clean Power Plan (CPP) • February 2016: U. S. Supreme Court stayed CPP – D. C. Circuit litigation regarding CPP held in abeyance • October 2017: EPA proposes to repeal CPP • December 2017: EPA issued an Advanced Notice of Proposed Rulemaking regarding replacement of CPP 21 • #Public. Power www. Public. Power. org

Affordable Clean Energy (ACE) Rule • In August 2018, EPA released the proposed Affordable Clean Energy (ACE) Rule o Proposed that heat rate improvements constitute the best system of emissions reductions o Proposed revisions to new source review applicability o Proposed revisions to implementation regulations for this and future Clean Air Act § 112 (d) actions, including extending the regulatory and compliance timelines o EPA plans to finalize the ACE rule in June/July 2019 • APPA submitted comments on the proposed ACE Rule 22 • #Public. Power www. Public. Power. org

APPA Recommendations on ACE • APPA supports the replacement of the CPP with emission guidelines that adhere to the statutory requirements of CAA section 111(d) • APPA supported the implementation of heat rate improvements (HRIs) as the best system of emission reductions (BSER) for existing coal-fired utility boilers • APPA supports the issuance of states guidance describing what comprises a satisfactory state plan • APPA supports allowing states’ standards of performance to take many forms • APPA supports states’ authority to provide flexible compliance options for affected sources to meet their standards of performance • APPA supports adopting an hourly emission increase test for what is a “modification” under the new source review program 23 • #Public. Power www. Public. Power. org

GHG NSPS for New, Modified, and Reconstructed Sources • October 2015: EPA issues GHG New Source Performance Standards for new, modified and reconstructed EGUs o Litigation regarding the rule has been held in abeyance since 2017 and is expected to continue to be held in abeyance • December 2018: EPA proposed changes to the 2015 GHG NSPS o Proposed BSER for new coal-fired stream EGUs to be the most efficient generation technology instead of a coal boiler implementation partial CCS technology o Proposed revised standards for performance for reconstruction steam EGUs o Proposed separate performance standard for new & reconstructed coal refuse fired EGUs o Did not propose revisions to standards for stationary combustion turbines • APPA filed comment on the proposed GHG NSPS on March 18, 2019 24 • #Public. Power www. Public. Power. org

APPA Recommendations on the GHG NSPS • APPA supports EPA’s decision to rescind partial carbon capture and as the BSER for EGUs • APPA agrees that sequestration at highly efficient generation technology combined with best operating practices is BSER • APPA supports a performance standard that is achievable under all load conditions 25 • #Public. Power www. Public. Power. org

States and Cities Leading on Climate Change • Hawaii, California, New Mexico, Washington, D. C. and Puerto Rico legislatures have passed 100% clean energy mandates • Of the 114 U. S. cites with 100% commitments, five public power communities have met their renewables commitment o Aspen, Colorado; Burlington, Vermont; Georgetown, Texas; Greensburg, Kansas; and Rockport, Missouri 26 • #Public. Power www. Public. Power. org Main Street, Rockport, Missouri

Coal Combustion Residuals – State Actions • On March 20, 2019, Virginia Governor Northam signed a bill requiring the removal of coal ash from Dominion’s Chesapeake Energy Center • On April 1, 2019, North Carolina State Department of Environmental Quality ordered Duke Energy to excavate 31 coal ash basins and place their contents in lined landfills o Utility plans to appeal the decision • Tennessee ruling in Aug. 2017 requiring TVA to excavate CCRs and move to a lined impoundment o TVA appeal pending in Sixth Circuit o APPA joined other associations and trade groups in amicus brief in support of TVA position 27 • #Public. Power www. Public. Power. org

Coal Combustion Residuals - Regulatory • EPA finalized changes to its 2015 CCR rule in June, 2018 (a. k. a. Phase I, Part 1) • Phase I, Part 1 challenged and EPA voluntary remanded rule • Phase II Rulemaking o Address the beneficial use of CCR • Federal Permit Program 28 • #Public. Power www. Public. Power. org

Combustion Turbine Emissions Standards • On April 12, 2019, EPA proposed to amend its Stationary Combustion Turbine (CT) National Emission Standards for Hazardous Air Pollutants (NESHAP) and Residual Risk and Technology Review (RTR) o EPA proposes to find that risk from CTs hazardous air pollutant emissions are acceptable and the NESHAP provides an ample margin of safety o EPA did not identify any new control technology o EPA proposes to remove startup, shutdown and malfunction provision o EPA proposes to require electronic reporting o Comments are due May 28, 2019 • A court ordered deadline requires EPA to finalize the RTR by March 13, 2020 29 • #Public. Power www. Public. Power. org

Federal Energy Regulatory Commission (FERC) 30 • #Public. Power www. Public. Power. org

FERC: A Year of Changes Chatterjee (R) La. Fleur (D) Glick (D) Mc. Namee (R) • August 2018 - Commissioner Robert Powelson leaves the Commission • October 2018 - Commissioner Chatterjee designated Chairman due to illness of Kevin Mc. Intyre, who remains a Commissioner • December 2018 – Bernard Mc. Namee replaces Powelson • January 2019 – Commissioner Kevin Mc. Intyre passes away • January 2019 – Commissioner Cheryl La. Fleur announces she is not seeking another term after her current term expires June 30, 2019 31 • #Public. Power www. Public. Power. org Photos courtesy of FERC

Transmission Cost Concerns • Rising transmission costs continue to be a concern in PJM and other regions • Problematic growth of Supplemental Projects in PJM o In 2018, $5. 7 billion of $7. 8 billion in proposed transmission projects were Supplemental o Limited stakeholder review • Crucial that FERC implement and enforce transmission planning and cost recovery policies that ensure reasonable rates 32 • #Public. Power www. Public. Power. org

FERC Notices of Inquiry • Two FERC Notices of Inquiry (NOIs) issued in March 2019 • NOIs request comment on: o FERC policies for determining the allowed return on equity (ROE) to be included in cost-based rates (Docket PL 19 -4) o FERC’s policies on transmission incentives (Docket PL 19 -3) • Any policy changes resulting from NOIs could impact transmission costs • Initial comments due June 26; reply comments due July 26 (extension requested) • APPA intends to comment extensively on NOIs 33 • #Public. Power www. Public. Power. org

Incentive Notice of Inquiry • Includes 105 separately-numbered questions on virtually every aspect of FERC incentive policies • Could result in increased use of costly ROE “adders” a/k/a “FERC candy” • On the other hand, FERC might limit some incentives (e. g. , the ROE adder for RTO participation) • Could have implications for transmission planning, public power joint ownership, adoption of new technologies, etc. • APPA organizing joint comments 34 • #Public. Power www. Public. Power. org

ROE Notice of Inquiry • Dozens of questions regarding FERC policies for calculating the allowed transmission ROE (profit) • FERC recently proposed changes to its ROE method in an ISO New England case • ROE NOI asks for broader industry comment on the new proposed method and other issues • New method could result in higher ROEs, but good arguments exist against most problematic aspects • APPA coordinating with other organizations on comments and experts 35 • #Public. Power www. Public. Power. org

Storage and DER • FERC issued Order No. 841 on participation of electric storage resources in RTO/ISO markets in Feb. 2018; rehearing order issued May 2019 • FERC continues to defer action on non-storage distributed energy resources (DER) • Key issue for APPA is state and local authority to address rate, operational, and safety issues presented by DER (including storage DER) • APPA argued FERC should allow retail regulators (including public power) to opt out of allowing DER participation in the wholesale market • Order 841 rehearing 36 • #Public. Power www. Public. Power. org

PJM Capacity Construct: Overview • PJM’s capacity construct, the Reliability Pricing Model (RPM) has been of concern to public power since its inception, due to: o high and volatile prices o frequent rule changes o impediments to self-supply through the minimum offer price rule (MOPR) • A self-supply MOPR exemption was removed by FERC at the end of 2017, following a DC Circuit decision • Increasing state actions to procure or retain specific resources have accelerated the generator requests to expand the MOPR from new natural-gas generation to include all technologies and existing resources 37 • #Public. Power www. Public. Power. org

PJM Capacity Construct: Recent Developments • Last June, FERC found that the RPM rules are not just and reasonable because they do not adequately address the suppressive effect on capacity market clearing prices from of “out-of-market” support from state subsidies • FERC initiated a hearing and proposed a “replacement rate”: Expansion of the MOPR to all resources and a new “carve-out” provision to allow the removal of a “subsidized” resource from the capacity auctions, along with a commensurate amount of load • The Association and PJM members requested rehearing of the order, and filed briefs requesting a complete self-supply MOPR exemption and supported a workable carve-out for state-sponsored resources 38 • #Public. Power www. Public. Power. org

PJM Capacity Construct: Current Status • With no order from FERC, PJM announced its intent to conduct the August capacity auction under current rules • Meanwhile, the market monitor filed a 206 complaint arguing for a reduction in the capacity offer cap, due to market power concerns. The Association and PJM public power support the complaint Association position: • Capacity markets should be residual, voluntary markets with bilateral contracts and ownership as the primary means for resource procurement • At a minimum, capacity offer mitigation should not apply to public power selfsupply • States may have legitimate policy reasons for procurement or retention of specific resources, and should also not be subject to mitigation 39 • #Public. Power www. Public. Power. org

Price Formation Controversy • PJM, on March 29, filed Section 206 proposal for revisions to its operating reserve market price formation rules which will increase both operating reserve and energy prices • These changes were filed without stakeholder approval and with strong opposition from load-side interests, including public power, raising significant concerns about PJM governance • Stakeholders and the market monitor argue that PJM has not demonstrated a reliability or other justification for the proposal • PJM’s initial estimate was that these changes would increase costs by $2 billion per year • The Association joined a May 15 load-side coalition group protest of the price formation proposal 40 • #Public. Power www. Public. Power. org

Green. Hat and Financial Entities • The Association has long been concerned about financial entity participation in the RTO-run markets, especially in the Financial Transmission Rights (FTR) market • FTRs and Auction Revenue Rights should function as a hedge for load, and not as a mechanism for transferring payments from load to financial entities • Such concerns are exemplified by the default of the Green. Hat company (managed by former staff of JPMorgan Ventures Energy, which was found by FERC to have violated the anti-market manipulation rule) • Green. Hat amassed the largest portfolio of FTRs in PJM history before defaulting and costing other PJM members hundreds of millions of dollars • An independent investigation found that PJM management failed to identify growing evidence of the pending default and missed opportunities to stop or restrain Green. Hat and limit the costs incurred 41 • #Public. Power www. Public. Power. org

Pole Attachments 42 • #Public. Power www. Public. Power. org

Pole Attachments • Section 224 of the Communications Act exempts public power from FCC pole attachment regulations and allows states to “reverse preempt” • Since 2017, the wireless industry has been: • pushing deployment of “small cells” (often pole top) for “ 5 G” broadband • saying that small cells and 5 G will solve the “digital divide” in rural areas • saying public power is “barrier” to broadband deployment • conflating right-of-way and “siting” fees with pole attachment rates • working in states and at Congress and FCC on siting “reform” • circulating or has “small cell” bills in more than 20 states 43 • #Public. Power www. Public. Power. org

Pole Attachments • FCC Actions o Mobilitie Petition: In 2016, FCC issued a public notice asking for comment on proposal to exercise jurisdiction over state and local governments, including public power • APPA filed reply comments o Broadband Deployment Advisory Committee (BDAC): In 2017, FCC enlisted this group, mostly communications industry representatives, to provide recommendations on streamlining local and state siting regulations. The BDAC is nearing completion of those rules • APPA filed a letter with FCC objecting to substance and process 44 • #Public. Power www. Public. Power. org

Pole Attachments • FCC Actions (continued) o Wireline and Wireless Proposals: In 2017, FCC proposed rules to “reduce barriers to broadband deployment” by preempting state and local rules and regulations using section 253 (re: rights-of-way and barriers to entry) and section 332 (re: wireless service) • APPA filed comments and reply comments o Declaratory Ruling and Third Report and Order: On Sept. 26, the FCC adopted an order preempting state and local laws (including pole attachment rules, regulations, and agreements) that do not comport with FCC’s “one-size-fits-all” rules, using sections 253 and 332 and ignoring the exemption in section 224 45 • #Public. Power www. Public. Power. org

Pole Attachments • Legal Actions o APPA Appeal of Declaratory Ruling and Third Report and Order: In November 2018, APPA filed a petition for review challenging the Report and Order as an improper assertion of authority that may pose significant risks to the safety, security, and reliability of electric utility operations • Transferred to the US Court of Appeals for the Ninth Circuit • APPA’s opening brief due on June 10 • Amici briefs due on June 17 • Oral arguments likely in fall of 2019 46 • #Public. Power www. Public. Power. org

Pole Attachments • Congressional Action o S. 3157 - The STREAMLINE Small Cell Act • Introduced in 2018 by Senate Commerce Committee Chairman John Thune (R-SD) and Senator Brian Schatz (D-HI) • Would gut public power’s exemption from federal pole attachment regulations by expanding section 332 of Communications Act • Failed in 115 th Congress o H. R. 530 – The Accelerating Wireless Broadband Development by Empowering Local Communities Act of 2019 • Introduced in January 2019 by Rep. Anna Eshoo (D-CA) • Would overturn FCC “wireline” and “wireless” orders • Sen. Feinstein (D-CA) intends to introduce a Senate version 47 • #Public. Power www. Public. Power. org

Delia Patterson dpatterson@publicpower. org 202. 467. 2993 48 • #Public. Power www. Public. Power. org