With a possible debate on cybersecurity legislation looming in the Senate, energy regulators on Tuesday warned lawmakers of the pressing threats facing the nation’s power grid.
Appearing before the Senate Committee on Energy and Natural Resources, a panel of witnesses stressed that any bill the full chamber approves must provide for a more fluid system of sharing information about cyber threats, both between public and private entities and between federal and state and local authorities.
“We’re often challenged by the lack of information,” said Gerry Cauley, president and CEO of the North American Electric Reliability Corporation. “And this is where in cyber the partnership between industry and government in terms of information to help us understand those risks and to be able to adapt to them is very important.”
Gregory Wilshusen, director of information and technology at the Government Accountability Office, said his agency recently evaluated the Department of Homeland Security’s practices of sharing threat information with the private sector and found it wanting. Too often, Wilshusen said, the department was only providing overly broad information or waiting too long to issue threat warnings.
“In many cases the information was not actionable, not timely,” he said.
Tuesday’s hearing comes as senators on both sides of the aisle have been pressing for a floor debate to consider the various proposals for cybersecurity legislation ahead of the August recess.
Senate Majority Leader Harry Reid (D-Nev.) has indicated that he would like to bring a bill to the floor this year, and possibly in the two remaining weeks before the break, but time is running short to forge a compromise measure that resolves some of the key differences over issues such as additional regulations and expanded government authorities.
Those divisions were on display at Tuesday’s hearing, where committee Chairman Jeff Bingaman (D-N.M.) signaled that he intends to renew efforts to advance a bill that would vest the Department of Energy and the Federal Energy Regulatory Commission (FERC) with greater authority to oversee the electric industry in a bid to strengthen security.
Versions of that legislation passed the committee unanimously in 2010 and 2011, and its provisions could get folded into a sweeping cybersecurity reform bill backed by Sens. Joe Lieberman (I-Conn.) and Susan Collins (R-Maine) that would expand the authorities of the Department of Homeland Security to regulate the security defenses of critical infrastructure operators in the private sector.
Reid has indicated that that bill, likely in a revised form, will be the legislation that will come to the floor, at which point a slew of amendments are expected to be offered, perhaps including one containing Bingaman’s energy-sector provisions.
Meantime, the ranking member on Bingaman’s committee, Sen. Lisa Murkowski (R-Alaska), argued against new government mandates and instead advocated for a bill that would focus on clearing the way for government agencies and industry members to share more real-time information about cyber threats. That bill, the SECURE IT Act, was introduced by Sen. John McCain (R-Ariz.) and other Republican senators as an alternative to the Lieberman-Collins legislation.
Separately, Lieberman and Collins on Tuesday sent a letter to FERC Chairman Jon Wellinghoff requesting that the agency launch an investigation into reports that two groups that issue certificates to providers of smart-grid technology and other outside parties granting access to the digital systems behind the power grid were not adhering to cybersecurity regulations.
But in practice, FERC’s ability to regulate the cybersecurity posture of industry members is limited, according to Joseph McClelland, director of FERC’s Office of Electric Reliability. For instance, the agency has a mandate to oversee the bulk power system, but that excludes Alaska, Hawaii and several large municipalities, including New York City, as well as the activities of power companies at the transmission level.
“Despite its active role in approving reliability standards, FERC’s current legal authority is insufficient to assure direct, timely and mandatory action to protect the grid, particularly where certain information should not be publicly disclosed,” McClelland told members of the energy committee.
He suggested that any legislation on the power grid and cybersecurity should authorize FERC to take preemptive action to thwart an attack, expand its authority beyond the bulk power system and protect the confidentiality of information.
In addition, the rise of smart grid technology, where new digital devices and systems are connected to the power companies’ cyber infrastructure, has opened an array of new threat vectors, McClelland warned. That proliferation of new threats, in turn, has put even greater urgency on sharing information.
“The threats are moving at light speed,” he said. “It’s probably the most significant thing that we deal with. And it actually has a potential to become much worse, because as we add equipment that was previously dumb equipment to make it smart equipment and give it two-way communication and then give it the ability to speak with the largest generators on the system or to have a nexus to the largest generators on the equipment, then we’ve introduced a vulnerability, and it would be like online banking without cybersecurity. You really don’t want to go there.”