Electrical Power Grid Vulnerable to Cyber Threats
- 18 July, 2012 13:26
With a possible debate on cybersecurity legislation looming in the Senate, energy regulators on Tuesday warned lawmakers of the pressing threats facing the nation's power grid.
Appearing before the Senate Committee on Energy and Natural Resources, a panel of witnesses stressed that any bill the full chamber approves must provide for a more fluid system of sharing information about cyber threats, both between public and private entities and between federal and state and local authorities.
"We're often challenged by the lack of information," said Gerry Cauley, president and CEO of the North American Electric Reliability Corporation. "And this is where in cyber the partnership between industry and government in terms of information to help us understand those risks and to be able to adapt to them is very important."
Gregory Wilshusen, director of information and technology at the Government Accountability Office, said his agency recently evaluated the Department of Homeland Security's practices of sharing threat information with the private sector and found it wanting. Too often, Wilshusen said, the department was only providing overly broad information or waiting too long to issue threat warnings.
"In many cases the information was not actionable, not timely," he said.
Tuesday's hearing comes as senators on both sides of the aisle have been pressing for a floor debate to consider the various proposals for cybersecurity legislation ahead of the August recess.
Senate Majority Leader Harry Reid (D-Nev.) has indicated that he would like to bring a bill to the floor this year, and possibly in the two remaining weeks before the break, but time is running short to forge a compromise measure that resolves some of the key differences over issues such as additional regulations and expanded government authorities.
Those divisions were on display at Tuesday's hearing, where committee Chairman Jeff Bingaman (D-N.M.) signaled that he intends to renew efforts to advance a bill that would vest the Department of Energy and the Federal Energy Regulatory Commission (FERC) with greater authority to oversee the electric industry in a bid to strengthen security.
Versions of that legislation passed the committee unanimously in 2010 and 2011, and its provisions could get folded into a sweeping cybersecurity reform bill backed by Sens. Joe Lieberman (I-Conn.) and Susan Collins (R-Maine) that would expand the authorities of the Department of Homeland Security to regulate the security defenses of critical infrastructure operators in the private sector.
Reid has indicated that that bill, likely in a revised form, will be the legislation that will come to the floor, at which point a slew of amendments are expected to be offered, perhaps including one containing Bingaman's energy-sector provisions.
Meantime, the ranking member on Bingaman's committee, Sen. Lisa Murkowski (R-Alaska), argued against new government mandates and instead advocated for a bill that would focus on clearing the way for government agencies and industry members to share more real-time information about cyber threats. That bill, the SECURE IT Act, was introduced by Sen. John McCain (R-Ariz.) and other Republican senators as an alternative to the Lieberman-Collins legislation.
Separately, Lieberman and Collins on Tuesday sent a letter to FERC Chairman Jon Wellinghoff requesting that the agency launch an investigation into reports that two groups that issue certificates to providers of smart-grid technology and other outside parties granting access to the digital systems behind the power grid were not adhering to cybersecurity regulations.
But in practice, FERC's ability to regulate the cybersecurity posture of industry members is limited, according to Joseph McClelland, director of FERC's Office of Electric Reliability. For instance, the agency has a mandate to oversee the bulk power system, but that excludes Alaska, Hawaii and several large municipalities, including New York City, as well as the activities of power companies at the transmission level.
"Despite its active role in approving reliability standards, FERC's current legal authority is insufficient to assure direct, timely and mandatory action to protect the grid, particularly where certain information should not be publicly disclosed," McClelland told members of the energy committee.
He suggested that any legislation on the power grid and cybersecurity should authorize FERC to take preemptive action to thwart an attack, expand its authority beyond the bulk power system and protect the confidentiality of information.
In addition, the rise of smart grid technology, where new digital devices and systems are connected to the power companies' cyber infrastructure, has opened an array of new threat vectors, McClelland warned. That proliferation of new threats, in turn, has put even greater urgency on sharing information.
"The threats are moving at light speed," he said. "It's probably the most significant thing that we deal with. And it actually has a potential to become much worse, because as we add equipment that was previously dumb equipment to make it smart equipment and give it two-way communication and then give it the ability to speak with the largest generators on the system or to have a nexus to the largest generators on the equipment, then we've introduced a vulnerability, and it would be like online banking without cybersecurity. You really don't want to go there."
Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com.
Read more about government in CIO's Government Drilldown.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- HTC unveils new Butterfly s phone that packs more battery life
- CIOs bemoan lock-in and the 'false flexibility' of the Cloud
- Google Glass apps for enterprises coming by early 2014
- iPad 5 rumour rollup for the week ending June 18
- Say 'cheese', Earthlings! Spacecraft to snap home planet pic from deep space
Samsung Galaxy S4 vs. HTC One: 5 Reasons to Choose the GS4
Solving the skills conundrum – part 1
Samsung Galaxy S4 vs. HTC One: 5 Reasons to Choose the GS4
High school students still see ICT as ‘sitting at a computer all day’: survey
Does encryption really shield you from government's prying eyes?
Building a Better Mousetrap in Anti-Malware
This story is becoming frustratingly old. Cyber threats are continuously advancing in their adaptability speed, sophistication, and degree of stealthiness. At the same time, the exposed footprint is expanding. More business operations are moving online and end-user devices—corporate-issued and user-owned—are expanding in number and variety. A reasonable question asked by executives responsible for making decisions on their organisations’ security budgets is whether their money and resources are being spent wisely. Are their businesses buying and using the best mix of security technologies to meet their needs and obligations? Read on.
Data Centre Physical Infrastructure: Optimising Business Value
To stay competitive in today’s rapidly changing business world, companies must update the way they view the value of their investment in data centre physical infrastructure (DCPI). This whitepaper discusses how companies can succeed in a changing global market. Read now.
The Future of Knowledge Work
By 2025 the explosion in world population, automobile ownership, and urbanisation trends will make physical travel more complex and time consuming. In contrast, technology will continue to shrink, disappearing into the fabric of our life, eventually becoming so small that it will be embedded in our clothes and environment. This whitepaper identifies the trends likely to shape The Future of Work, and seed the reader with information and ideas to imagine the future that is rushing towards us. Read now.