[Infowarrior] - 'Cybersecurity' worries spur Congress to rethink electrical grid

Richard Forno rforno at infowarrior.org
Fri Sep 12 12:28:08 UTC 2008 

  September 12, 2008 4:00 AM PDT
'Cybersecurity' worries spur Congress to rethink electrical grid
Posted by Stephanie Condon

http://news.cnet.com/8301-13578_3-10040101-38.html?part=rss&subj=news&tag=2547-1_3-0-20

WASHINGTON--The potential for "cybersecurity" attacks on the United  
State's electric power grids has spurred politicians to consider  
legislation to broaden federal authority over electric companies.

Congress already has been consulting with federal agencies and  
industry associations over how to craft such legislation. On Thursday,  
legislators sought further input at a hearing before the House Energy  
and Commerce's subcommittee on energy and air quality.

Industry representatives endorsed the idea of strengthening federal  
authority in the event of an imminent cybersecurity threat but  
cautioned against expanding the government's powers too broadly.

"We understand the seriousness of the issue and the need to deal with  
it," said Susan Kelly, a vice president for the American Public Power  
Association. "At the same time, we believe that such legislation must  
be carefully drawn."

The draft legislation under consideration would expand the authority  
of the Federal Energy Regulatory Commission, which already regulates  
the nation's bulk power system as allowed by the Federal Power Act. A  
final draft of the bill will likely be considered by the committee  
next week, following a classified briefing with intelligence agencies,  
said Rep. Rick Boucher, chairman of the subcommittee.

The proposed law could require any owner, user, or operator of the  
bulk power system to abide by interim measures established by the FERC  
to address current security threats until FERC could address the  
threats under its normal protocol. It would also grant the FERC the  
ability to issue orders to owners of the bulk power system at the  
directive of the White House, either through the president or the  
secretary of energy.

At issue is whether the law should expand FERC's powers in the case of  
only a cybersecurity threat, or in the case of other threats to  
national security as well.

FERC chairman Joseph Kelliher said his commission's authority should  
apply to a broader definition of national security threats because  
physical attacks can cause equal or greater damage than a so-called  
cyber attack.

"There is no adequate means to take timely action under existing  
laws," he said.

However, industry associations "believe that other government  
entities, both state and federal, have more direct responsibilities in  
the general area of national security," Kelly said in her prepared  
statement. "Moreover, this additional authority is quite vague in its  
wording and hence potentially all-encompassing in nature, which in and  
of itself raises substantial concerns."

Steven Naumann, a vice president for Exelon, said the legislation  
should consider how the use of classified information to justify  
regulations on the energy sector could impact private companies. He  
said the bill should "provide for ongoing consultation and sharing of  
information to the extent possible."

Kelly seconded the idea that establishing guidelines for power systems  
should be a collaborative effort between the public and private sectors.

"We in the industry think we can bring some expertise on the best ways  
to set these standards," she said.
Rep. James Langevin

No one at the hearing disputed the enormity of a potential  
cybersecurity attack on the country's electric grid.

"I believe America is disturbingly vulnerable to a cyber attack  
against the electric grid that could cause significant consequences to  
our nation's critical infrastructure," said Representative James  
Langevin (D-R.I.), a member of the Homeland Security Committee who  
testified before his fellow congressmen. "Virtually every expert that  
I've discussed these matters with shares this assessment."

"The risk to these systems is steadily increasing," he said.

After a particular vulnerability, dubbed "Aurora," was discovered in  
2007 at the Idaho National Laboratory, the subcommittee Langevin  
chairs, along with federal agencies, reviewed the ability of  
government efforts to protect power sources from the threat. In spite  
of the requirements and advisories sent to the electric sector to  
mitigate the vulnerability, it was unclear electric companies had  
fully protected themselves from the threat, the witnesses at the  
hearing said. Interviews with 30 companies suggested only two had  
completely mitigated the Aurora threat.

"Initial observations suggest that while no company interviewed  
ignored the advisory, there was a broad range of compliance based on  
individual interpretations of the threat," Langevin said in his  
prepared statement.

Kevin Kolevar, the assistant secretary of the Energy Department's  
office of electricity delivery and energy reliability, said, "Aurora  
exemplifies... that type of situation that speaks to the need for an  
interim reliability" for that threat.

More information about the Infowarrior mailing list