Since the nation's bulk power systems may be the soft underbelly of cyber-protection schemes, Congress is considering granting the Federal Energy Regulatory Commission emergency powers to impose mandatory responses in case of a cyber-attack on the IT infrastructure of the electrical grid. With more than $1 trillion in assets and 200,000 miles of transmission lines generating more than 800,000 megawatts for 300 million people, a cyber-attack on the electrical grid would be a terrifying scenario, says Rep. James Langevin, chairman of the House Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology.
The Federal Energy Regulatory Commission wants Congress to broaden its
authority to protect the nation's electrical grid from cyber-attacks. Again.
In 2005, lawmakers authorized FERC to approve and enforce reliability
standards-including cyber-security standards-to protect and improve the
country's bulk power system. FERC says the law is an adequate start on protecting
the power supply against most reliability threats, but not against cyber-threats.
"These are national security threats that may be posed by foreign
nations or others intent on attacking the United
States through its electric grid," FERC
Chairman Joseph Kelliher told a House subcommittee Sept. 11. "The nature
of the threat stands in stark contrast to other major reliability
vulnerabilities that have caused regional blackouts and reliability failures in
the past, such as vegetation management and relay maintenance."
Kelliher told lawmakers a cyber-attack could cause more extensive damage
than the massive 2003 blackout in the Northeast. A cyber-attack, he said, could
damage the generating facilities and take weeks or longer to repair.
"Widespread disruption of electric service can quickly undermine our
government, military readiness and economy and endanger the health and safety
of millions of citizens," he said. "There may be a need to act
quickly to protect the grid, to act in a manner where action is mandatory
rather than voluntary and to protect security-sensitive information from public
Kelliher added that FERC does not have adequate authority to act in a timely
manner in the case of a cyber-attack. Rep. Rick Boucher, D-Va., may introduce
legislation as soon as Sept. 12 to empower FERC to act in the event of a cyber-attack.
The bill would require owners and operators of bulk power systems to obey
interim orders issued by FERC. The legislation would empower the White House
and the Department of Energy to issue emergency orders through FERC.
"Currently, the alternative to a mandatory reliability standard is ... to
issue an advisory encouraging utilities and others to take voluntary action to
guard against cyber- or other vulnerabilities," Kelliher said. "That
approach provides for quicker action, but any such advisory is not mandatory
and should be expected to produce inconsistent and potentially ineffective
That was the case in 2007 when DHS (Department of Homeland Security)
launched a simulated attack and managed to destroy a $1 million diesel-electric
generator. FERC issued an advisory to the nation's 1,800 utilities warning them
of the vulnerability and requested the utilities implement procedures to
mitigate the threat.
The response to the alert was mixed. An audit of 30 utility companies that
received the alert showed only seven were in full compliance, although all of
the audited companies had taken some precautions.
"Reliance on voluntary measures to assure national security is
fundamentally inconsistent with the conclusion Congress reached during
enactment of [the 2005 law]," Kelliher said.
For Rep. James Langevin, D-R.I., chairman of the House Subcommittee on Emerging
Threats, Cybersecurity, and Science and Technology, changes to the law can't
come fast enough.
"I want to clearly state that I believe America
is disturbingly vulnerable to a cyber-attack against the electrical grid that
could cause significant consequences to our nation's critical
infrastructure," Langevin told his fellow lawmakers. "Virtually every
expert that I've discussed these matters with-across government and throughout
the private sector-shares this assessment."
The bulk power systems of the United States
and Canada have
more than $1 trillion in assets with more than 200,000 miles of transmission
lines generating more than 800,000 megawatts. The systems serve more than 300
The systems' infrastructure is heavily reliant on computer-based systems
that are used to monitor and control sensitive processes and physical
functions. The systems were once mostly closed, proprietary operations but are
increasingly connecting to open networks like corporate intranets and the
Internet. According to U.S. CERT, "This transition towards widely used
technologies and open connectivity exposes controls systems to the ever-present
cyber-risks that exist in the information technology world in addition to
control system-specific risks."
As Langevin noted, "For a society that runs on
power, the discontinuity of electricity to chemical plants, banks, refineries,
hospitals and water systems presents a terrifying scenario."