University of San Diego

San Diego Journal of Climate & Energy Law

Library of Congress Authority File


This Article contends that the Federal Communications Commission’s (FCC) January 2018 repeal of net neutrality rules created a “zero-day” cybersecurity vulnerability for the energy sector and other criti¬¬¬cal infrastructure. “A zero-day cybersecurity vulnerability is a previously unknown flaw in a computer program that exposes the program to external manipulation.” The flaw may also reside in compromised hardware that creates a “back door” into the internet-connected device. This Article argues that cybersecurity has been primarily viewed from a “hacker paradigm” that obscures systemic threats an Internet Service Provider (ISP) can create to energy reliability and cybersecurity through paid priority and other ISP practices…

This Article contends that federal regulators, responsible entities under the FPA, and state energy sector regulators must act to identify and mitigate risks triggered by the FCC’s repeal of net neutrality rules. The energy sector’s state and federal legal duties do not allow it to rely on the market and unenforceable ISP promises to protect reliability, cybersecurity, and public safety. An open and neutral internet—the goal of net neutrality—is necessary to protect energy reliability crucial to America’s economy, public safety, national security, and deployment of climate change solutions.

Following this introduction, section two of this Article discusses the ISP’s gatekeeper position on the internet and introduces the “hacker paradigm” and “cat video paradigm” that pervade internet and cybersecurity regulation. Section three provides an overview of federal energy sector reliability standards, highlighting the states’ role in energy reliability for the distribution segment of the energy grid. Section four discusses models for energy sector and critical infrastructure cybersecurity governance. Section five provides an overview of mandatory federal cybersecurity standards for the energy sector’s BPS. Section six explores the “hacker-focused” paradigm of many cybersecurity standards including the NERC standards FERC enforces for the energy sector. Section seven examines the Energy-Internet nexus, emphasizing the internet’s increasing integration into the energy sector. Section eight discusses simulations that test the electric grid for communications-induced faults and cascading failures. Section nine analyzes the consequences of FERC’s net neutrality repeal on energy sector reliability, cybersecurity, renewable energy deployment, and public safety.

Finally, section ten recommends that FERC and state public utility commissions conduct grid simulations to test the effect of ISP-induced communications delays on grid reliability and renewable integration. It recommends that state energy regulators initiate proceedings to examine cybersecurity requirements for distribution-level energy resources. Those proceedings should request data from energy sector jurisdictional entities about ISP contracts and conduct, and then consider whether to limit contracts with such entities to ISPs that observe net neutrality. FERC should examine net neutrality repeal as a cybersecurity, reliability and resiliency risk in its Grid Resiliency and Reliability docket. Federal and state law require energy sector participants and regulators to ensure ISPs do not degrade Energy-Internet traffic or violate market manipulation rules and thereby compromise reliability, public safety, just and reasonable rates, the environment, and realization of climate change solutions.