House Subcommittee Questions Electric Industry’s Preparedness for Cyberattack
Electric industry representatives told a House subcommittee the electric grid is well-secured from cyber- attacks and that its greatest cybersecurity problem is a lack of information from the federal government. Their answers contrasted sharply with the opening statement of House Homeland Cybersecurity Subcommittee Chairman Yvette Clarke, D-N.Y., who scolded the electric industry for failing to take adequate steps toward protection. She cited statistics from the North American Electric Reliability Corporation, or NERC, that only 29 percent of generation plant owners and operators have identified at least one critical asset and 63 percent of transmission facilities owners have identified at least one critical asset. “Many in industry are apparently trying to avoid compliance with their own inadequate standards,” she said. “This effort seems to epitomize the head-in-the-sand mentality that seems to permeate broad sections of the electric industry.”
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Ranking Member Dan Lungren, R-Calif., said he shares Clarke’s concern. U.S. adversaries realize they can strike a crippling blow from afar more cheaply and with less chance of attribution via cyber attacks than with traditional attack, he said. “We have in some ways come to this late,” he said, adding Congress, the executive branch and the private sector must all catch up. The problems, he said, “have to be recognized upfront. We can’t be embarrassed about it. We have to work together to solve this urgent problem.”
Clarke, Lungren and Committee Chairman Bennie Thompson, D-Miss., all mentioned their support of HR-2195, the Critical Electric Infrastructure Protection Act. The bill would give authority for emergency orders to the Federal Energy Regulatory Commission and require FERC to establish interim measures. It would also require the Department of Homeland Security to perform ongoing cybersecurity vulnerability and threat assessments for the critical electric infrastructure.
The most important step is clear and concise communication, said Steve Naumann, vice president of Wholesale Markets, speaking on behalf of Edison Electric Institute and the Electric Power Supply Association. If there’s a threat, he said, that information needs to get to users, owners and operators who actually work with systems. He would prefer, to the extent that time allows, that FERC consult with industry rather than issue emergency directives, he said. In his testimony, Naumann said Edison is encouraging a security certification program that would independently test and certify smart grid components and systems. He also told the subcommittee there should be a more formal system of collaboration between the government and industry, in which some industry representatives get clearance sufficient for high-level security information. They could then devise mitigation strategies and disseminate those to the rest of industry, Naumann said.
Mark Fabro, president of Lofty Perch, said though the electric grid isn’t completely immune to attack, there have been substantial improvements. Isolated reports in the media shouldn’t be taken as signs of problems with the entire industry, he said. Michael Assante, chief security officer for NERC, said a letter he wrote to industry, cited by Clarke as an example of industry’s recalcitrance, was the start of a good dialogue in protecting assets. The letter was part of an iterative process, he said. In his written testimony he said NERC supports legislation giving a federal agency emergency authority “in the face of specific and imminent cyber threats.”
Rep. Sheila Jackson Lee, D-Texas, largely failed to get witness support for more regulation to protect against damage from an electromagnetic pulse (EMP). Assante said NERC had been meeting with FERC and supported a “partnership.” But he added that Section 215 of the Federal Power Act, which certifies NERC to develop and enforce reliability standards, is “appropriate” as a basis to strengthen efforts. Fabro said federal partnership was “critical” and federal research should be incorporated into state standards. Rep. Laura Richardson, D-Calif., said she would like to work on a manager’s amendment providing procurement guidance that considers cybersecurity for bulk power systems.
“This legislation [HR-2195] didn’t come out of the blue,” said Rep. Bill Pascrell, D-N.J. NERC CEO Rick Sergel admitted in May that an earlier survey of the industry, purportedly showing three in four grid operators had mitigated the Aurora cybersecurity vulnerability (WID Oct 18/07 p2), had actually never been conducted, Pascrell said. “NERC just made [numbers] up to get us off their back,” making Congress “suspicious” of its claims. Pascrell read the notes from a September 2008 meeting of NERC’s infrastructure protection committee in which NERC gave a briefing on the EMP threat, concluding there were “no actions expected” to secure vulnerable infrastructure. “We first have to determine what threat to protect against, and then design mitigation,” Naumann responded. NERC is on the job, but threat assessment “has to be done in a thoughtful manner,” he said.
Assante tried to explain to Rep. Ben Lujan, D-N.M., why NERC shouldn’t put “full faith” in prevention of attacks. Many supposed cybersecurity fixes haven’t prevented “advanced threats,” Assante said. “I believe that the grid is not immune from attacks … but we can try to respond to those attacks,” which is why NERC needs emergency authority to stop “imminent and specific” threats. The grid is “relatively secure from the threats we know of,” and NERC has improved its communications with bulk power system operators and study of threats with DHS and the Energy Department, he told Lujan.
The U.S. doesn’t need to get utilities on the same platform so much as standardize “protocols,” Naumann told Lujan. FERC has completed a final rule that requires smart- grid devices to follow the protocols under development by the National Institute of Standards and Technology, Naumann said. Lujan asked whether any “large umbrella support systems” could oversee distributed generation providers, other than state regulatory bodies. Assante said federal legislation should address “system standards” so deployments are secure, and leave jurisdiction at the state and local level. Lujan, a former chairman of the New Mexico Public Regulation Commission, said Congress should consider working with the National Association of Regulatory Utility Commissioners.