Electrical Power Grid Vulnerable to Cyber Threats

With a possible debate on cybersecurity legislation looming in the Senate, energy regulators on Tuesday warned lawmakers of the pressing threats facing the nation's power grid.

Appearing before the Senate Committee on Energy and Natural Resources, a panel of witnesses stressed that any bill the full chamber approves must provide for a more fluid system of sharing information about cyber threats, both between public and private entities and between federal and state and local authorities.

"We're often challenged by the lack of information," said Gerry Cauley, president and CEO of the North American Electric Reliability Corporation. "And this is where in cyber the partnership between industry and government in terms of information to help us understand those risks and to be able to adapt to them is very important."

Gregory Wilshusen, director of information and technology at the Government Accountability Office, said his agency recently evaluated the Department of Homeland Security's practices of sharing threat information with the private sector and found it wanting. Too often, Wilshusen said, the department was only providing overly broad information or waiting too long to issue threat warnings.

"In many cases the information was not actionable, not timely," he said.

Tuesday's hearing comes as senators on both sides of the aisle have been pressing for a floor debate to consider the various proposals for cybersecurity legislation ahead of the August recess.

Senate Majority Leader Harry Reid (D-Nev.) has indicated that he would like to bring a bill to the floor this year, and possibly in the two remaining weeks before the break, but time is running short to forge a compromise measure that resolves some of the key differences over issues such as additional regulations and expanded government authorities.

Those divisions were on display at Tuesday's hearing, where committee Chairman Jeff Bingaman (D-N.M.) signaled that he intends to renew efforts to advance a bill that would vest the Department of Energy and the Federal Energy Regulatory Commission (FERC) with greater authority to oversee the electric industry in a bid to strengthen security.

Versions of that legislation passed the committee unanimously in 2010 and 2011, and its provisions could get folded into a sweeping cybersecurity reform bill backed by Sens. Joe Lieberman (I-Conn.) and Susan Collins (R-Maine) that would expand the authorities of the Department of Homeland Security to regulate the security defenses of critical infrastructure operators in the private sector.

Reid has indicated that that bill, likely in a revised form, will be the legislation that will come to the floor, at which point a slew of amendments are expected to be offered, perhaps including one containing Bingaman's energy-sector provisions.

Meantime, the ranking member on Bingaman's committee, Sen. Lisa Murkowski (R-Alaska), argued against new government mandates and instead advocated for a bill that would focus on clearing the way for government agencies and industry members to share more real-time information about cyber threats. That bill, the SECURE IT Act, was introduced by Sen. John McCain (R-Ariz.) and other Republican senators as an alternative to the Lieberman-Collins legislation.

Separately, Lieberman and Collins on Tuesday sent a letter to FERC Chairman Jon Wellinghoff requesting that the agency launch an investigation into reports that two groups that issue certificates to providers of smart-grid technology and other outside parties granting access to the digital systems behind the power grid were not adhering to cybersecurity regulations.

But in practice, FERC's ability to regulate the cybersecurity posture of industry members is limited, according to Joseph McClelland, director of FERC's Office of Electric Reliability. For instance, the agency has a mandate to oversee the bulk power system, but that excludes Alaska, Hawaii and several large municipalities, including New York City, as well as the activities of power companies at the transmission level.

"Despite its active role in approving reliability standards, FERC's current legal authority is insufficient to assure direct, timely and mandatory action to protect the grid, particularly where certain information should not be publicly disclosed," McClelland told members of the energy committee.

He suggested that any legislation on the power grid and cybersecurity should authorize FERC to take preemptive action to thwart an attack, expand its authority beyond the bulk power system and protect the confidentiality of information.

In addition, the rise of smart grid technology, where new digital devices and systems are connected to the power companies' cyber infrastructure, has opened an array of new threat vectors, McClelland warned. That proliferation of new threats, in turn, has put even greater urgency on sharing information.

"The threats are moving at light speed," he said. "It's probably the most significant thing that we deal with. And it actually has a potential to become much worse, because as we add equipment that was previously dumb equipment to make it smart equipment and give it two-way communication and then give it the ability to speak with the largest generators on the system or to have a nexus to the largest generators on the equipment, then we've introduced a vulnerability, and it would be like online banking without cybersecurity. You really don't want to go there."

Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com.

Follow everything from CIO.com on Twitter @CIOonline, on Facebook, and on Google +.

Read more about government in CIO's Government Drilldown.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kenneth Corbin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts