The US Senate’s energy panel did a status check Tuesday on actions taken to ensure the electric grid is protected from cyber-attacks. The hearing came as lawmakers are poised to consider yet another round of cybersecurity legislation.
Testimony we heard about cumbersome processes and the inability to react quickly didn’t sound too promising, but you can read the excerpts below or scan the full testimony here and decide for yourself.
GAO – threats are evolving and growing
Gregory C. Wilshusen, Director of Information Security Issues with the Government Accountability Office (GAO), noted that threats to systems supporting critical infrastructure-which includes the electricity industry and its transmission and distribution systems – are evolving and growing. He pointed out that the increased reliance on IT systems and networks exposes the electric grid to potential and known cybersecurity vulnerabilities, including:
- An increased number of entry points and paths that can be exploited by potential adversaries and other unauthorized users
- The introduction of new, unknown vulnerabilities due to an increased use of new system and network technologies
- Wider access to systems and networks due to increased connectivity
- An increased amount of customer information being collected and transmitted, providing incentives for adversaries to attack these systems and potentially putting private information at risk of unauthorized disclosure and use
FERC – we need more authority
Joseph McClelland, who is Director of the Office of Electric Reliability at the Federal Energy Regulatory Commission (FERC), talked about FERC’s mandate to protect the nation’s bulk power system – but said FERC lacks the authority to adequately address cyber or other national security threats to the transmission and power system. He told the panel:
“Widespread disruption of electric service can quickly undermine the U.S. government, its military, and the economy, as well as endanger the health and safety of millions of citizens. Given the national security dimension to this threat, there may be a need to act quickly to protect the grid, to act in a manner where action is mandatory rather than voluntary, and to protect certain information from public disclosure. The Commission’s current legal authority is inadequate for such action. This is true of both cyber and physical threats to the bulk power system that pose national security concerns.”
NERC – deep concerns about the changing risk landscape
Gerry Cauley, President and CEO of the North American Electric Reliability Corporation (NERC) noted that today NERC’s reliability standards are mandatory and enforceable within the U.S. for the bulk power system and include Critical Infrastructure Protection (CIP) Standards.
Nonetheless, he told the Senate panel that the landscape is changing from conventional risks – such as extreme weather and equipment damage – “to new and emerging risks where we are left to imagine scenarios that might occur and prepare to avoid or mitigate the consequences.”
He said NERC has concluded “the most effective approach against adversaries exploiting the newer risk landscape is through thoughtful application of resiliency principles” which require proactive readiness.
Ohio utility commissioner – close coordination is essential
Todd A. Snitchler, chairman of the Public Utilities Commission of Ohio, told senators that protecting the electric grid is going to take coordination at all levels of government. As he put it:
“In the critical ‘golden hours’ after a possible new developing threat is detected, or immediately following an event, it may not always be clear what is actually happening or why. For this reason, close coordination between the utility sector and the cyber sector is essential to the response. As the State public utility commissions have traditionally served as the gateway to the utility sector and have their own independent core of expertise and relationships key to understanding, in real-time, events affecting that plant, close coordination among the operators of our cyber networks, the Federal government, and State homeland security partners, including State utility commissions, is essential. Resolving cybersecurity issues will require significant efforts on the parts of all of us, not just one or two of us. We all are part of the solution.”