Bingaman Considers Slight Tweaks to Grid Cybersecurity Bill
Federal and private energy organizations were largely receptive to the Senate Energy Committee’s draft cybersecurity bill to amend the Federal Power Act (FPA), but squabbled over which organizations would have what authority if a major attack on the nation’s electric grid occurs. Witnesses at Thursday’s hearing did agree that that a strong public/private sector partnership is essential to protecting the grid, identifying its vulnerabilities and reacting to an emergency or immediate threat.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Energy Committee Chair Jeff Bingaman, D-N.M., said the industry must identify potential vulnerabilities within the nation’s power grid and then identify what the response should be if an imminent threat occurs. “I do not believe that the existing suite of reliability standards and the process for developing them is sufficient to defend electric infrastructure against deliberate cyberattacks,” he said.
Ranking Member Lisa Murkowski, R-Alaska, said the committee does not intend to suppress the North American Electric Reliability Corporation’s (NERC) authority during an attack on the power grid. NERC is the industry’s Electric Reliability Organization (ERO) and established the industry’s eight mandatory cybersecurity standards. The Federal Energy Regulatory Commission (FERC) responds to vulnerabilities that expose the power grid to danger. The Department of Energy has the authority to respond to “imminent threats” to the power grid.
NERC advocated the legislation’s intent to expand its authority in the case of a cybersecurity attack to the nation’s electric grid, said Gerry Cauley, CEO of NERC. But Cauley said the wording of the bill was nebulous, specifically in its definition of what is a vulnerability and what is an imminent threat. “The bifurcation between vulnerability and imminent threat is an artificial one,” he said. “The emerging dynamic issues that are coming up need a faster response.”
The legislation would allow FERC to address “substantive vulnerabilities” before they become an imminent threat, FERC Director Joseph McClelland told reporters after the hearing. “This legislation attempts to address the issue that somebody may have to pro-actively move if the vulnerability is bad enough,” McClelland said: “This is not routine stuff, this is stuff that is profound, extraordinary and limited."
No matter what, Congress needs to make sure the “folks that operate the system are involved with the decision making process,” testified David Owens, executive vice president-business operations at the Edison Electric Institute, the power industry’s trade group. Cauley agreed and stressed the importance of information sharing and problem solving between the private and public sectors, he said. Cauley cautioned that it’s unrealistic to address the dynamic nature of threats and vulnerabilities with static reliability standards.
Sen. Richard Burr, R-N.C., suggested limiting FERC’s oversight authority, hinting that there were too many cooks in the cybersecurity kitchen. “As a country we have the authority in too many spaces to be responsible for a threat stream that, by the time the agencies are notified, it might be too late to address the immediacy of the event,” said Burr. There are about 50 different agencies looking at cybersecurity issues and yet the industry lacks a centralized authority from which it can receive actionable intelligence, witnesses said. Burr recommended the industry slow the pace of its smart grid adoption until the proper security measures can be implemented.
There’s a definite need to get cybersecurity intelligence to the industry quickly, said Cauley, but he couldn’t say which federal authority was the best or the most informed. Cyberattacks like the Stuxnet and Nightdragon underscore the urgency for implementing proper security precautions, Cauley said. Both the viruses are “real and represent risks” to the electric grid, he said. NERC receives cybersecurity threat information from the Department of Defense, the National Security Agency, the CIA and the Department of Homeland Security, and has issued 14 NERC Alerts to utility operators since January 2010, Cauley said.
Sen. Tom Udall, D-N.M., called the cybersecurity problem a “Gordian knot” and asked witnesses what Congress could do to cut it. Patricia Hoffman, Department of Energy assistant secretary for the office of electricity delivery and energy, said the industry needs to upgrade to a more secure infrastructure in a timely fashion, needs to continue to develop and test new cybersecurity technologies, and needs to develop a stronger utility workforce that understands the threats to the power grid. Most importantly, the government and the private sector need to maintain a rigorous dialog to determine what security gaps exist, Hoffman said.