The Federal Energy Regulatory Commission wants Congress to broaden its authority to protect the nation’s electrical grid from cyber-attacks. Again.
In 2005, lawmakers authorized FERC to approve and enforce reliability standards-including cyber-security standards-to protect and improve the country’s bulk power system. FERC says the law is an adequate start on protecting the power supply against most reliability threats, but not against cyber-threats.
“These are national security threats that may be posed by foreign nations or others intent on attacking the United States through its electric grid,” FERC Chairman Joseph Kelliher told a House subcommittee Sept. 11. “The nature of the threat stands in stark contrast to other major reliability vulnerabilities that have caused regional blackouts and reliability failures in the past, such as vegetation management and relay maintenance.”
Kelliher told lawmakers a cyber-attack could cause more extensive damage than the massive 2003 blackout in the Northeast. A cyber-attack, he said, could damage the generating facilities and take weeks or longer to repair.
“Widespread disruption of electric service can quickly undermine our government, military readiness and economy and endanger the health and safety of millions of citizens,” he said. “There may be a need to act quickly to protect the grid, to act in a manner where action is mandatory rather than voluntary and to protect security-sensitive information from public disclosure.”
Kelliher added that FERC does not have adequate authority to act in a timely manner in the case of a cyber-attack. Rep. Rick Boucher, D-Va., may introduce legislation as soon as Sept. 12 to empower FERC to act in the event of a cyber-attack. The bill would require owners and operators of bulk power systems to obey interim orders issued by FERC. The legislation would empower the White House and the Department of Energy to issue emergency orders through FERC.
“Currently, the alternative to a mandatory reliability standard is … to issue an advisory encouraging utilities and others to take voluntary action to guard against cyber- or other vulnerabilities,” Kelliher said. “That approach provides for quicker action, but any such advisory is not mandatory and should be expected to produce inconsistent and potentially ineffective responses.”
That was the case in 2007 when DHS (Department of Homeland Security) launched a simulated attack and managed to destroy a $1 million diesel-electric generator. FERC issued an advisory to the nation’s 1,800 utilities warning them of the vulnerability and requested the utilities implement procedures to mitigate the threat.
The response to the alert was mixed. An audit of 30 utility companies that received the alert showed only seven were in full compliance, although all of the audited companies had taken some precautions.
“Reliance on voluntary measures to assure national security is fundamentally inconsistent with the conclusion Congress reached during enactment of [the 2005 law],” Kelliher said.
For Rep. James Langevin, D-R.I., chairman of the House Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, changes to the law can’t come fast enough.
“I want to clearly state that I believe America is disturbingly vulnerable to a cyber-attack against the electrical grid that could cause significant consequences to our nation’s critical infrastructure,” Langevin told his fellow lawmakers. “Virtually every expert that I’ve discussed these matters with-across government and throughout the private sector-shares this assessment.”
The bulk power systems of the United States and Canada have more than $1 trillion in assets with more than 200,000 miles of transmission lines generating more than 800,000 megawatts. The systems serve more than 300 million people.
The systems’ infrastructure is heavily reliant on computer-based systems that are used to monitor and control sensitive processes and physical functions. The systems were once mostly closed, proprietary operations but are increasingly connecting to open networks like corporate intranets and the Internet. According to U.S. CERT, “This transition towards widely used technologies and open connectivity exposes controls systems to the ever-present cyber-risks that exist in the information technology world in addition to control system-specific risks.”
As Langevin noted, “For a society that runs on power, the discontinuity of electricity to chemical plants, banks, refineries, hospitals and water systems presents a terrifying scenario.”