Government and private sector executives pointed to today’s anniversary of the Sept. 11 terrorist attacks to warn lawmakers about protecting a critical piece of the nation’s infrastructure: its electricity grid.
“This is not hyperbole,” Kevin Kolevar, assistant secretary of the Department of Energy, told the House Subcommittee on Energy and Air Quality today. “Let me assure you that cyber-attacks have occurred and they are becoming more sophisticated.”
Today’s hearing arrives as the working calendar of the 110th Congress draws to a close. Lawmakers are trying to move forward with a draft bill that would shore up the nation’s electrical grid against cyber-attacks.
Although it was a fitting topic on the seventh anniversary of 9/11, lawmakers noted that the potential threats against the United States no are longer confined to the physical world.
“Let no one accuse us of having a September 10th mindset when it comes to cybersecurity,” Rep. James Langevin, D-R.I., told the subcommittee in testimony. Langevin appeared as a witness in today’s hearing, which was also Webcast. Langevin also chairs the Subcommittee Emerging Threats, Cybersecurity and Science and Technology, which began examining the nation’s preparedness in the face of cyber-threats after evidence of an alarming vulnerability came to light.
For example, last September, details emerged of an experimental attack the Department of Homeland Security carried out against a generator at the Idaho National Laboratory. In the so-called “Aurora” attack, DHS hacked into the lab’s electrical system and altered the operating cycle of the generator, causing it to explode.
The vulnerability of the nation’s electrical infrastructure came into high relief in 2003 when a massive blackout in the Northeast left 50 million people without power, at a cost around $10 billion to fix. While that blackout was a result of a system failure, authorities viewed the vulnerabilities exposed in the Aurora test as a wake-up call.
In response, the industry group National American Electric Reliability Corporation (NERC) issued a set of standards to the facilities to shore up their defenses against cyber-threats.
Subsequent auditing by the Federal Energy Regulatory Commission (FERC) found that the self-regulatory approach for electrical producers had fallen short, and that many facilities on the Bulk Power System (BPS) grid were still vulnerable.
“Many — and really most — electric facilities are capable of remote operation,” FERC Chairman Joseph Kelliher told the subcommittee. The degree of compliance varied from plant to plant, Kelliher said, but a great number of the power companies he audited “didn’t appreciate how interconnected their facilities were.”
Experts have warned that an Aurora attack or a similar exploit carried out by terrorists or an unfriendly nation could wreak havoc on U.S. infrastructure.
One obstacle is that the industry appears to lack an authority to force compliance with security preparations. FERC can make recommendations to power companies but cannot enforce them. But the bill, now under review, would change that by giving FERC some measure of authority to mandate compliance in the face of a threat.
The window for that authority is still a point of debate. Some witnesses and lawmakers said that ultimate authority to mandate threat responsiveness should rest with the executive branch, though they agreed that since cyber-threats can materialize in a matter of seconds, FERC should have some interim authority to issue an order when it detects a threat.
Kelliher also called on Congress to expand the definition of the BPS, which currently excludes facilities in Alaska and Hawaii, as well as many plants providing electricity to major U.S. cities, such as New York and Washington.
The draft bill, which carries the working title, “Bulk Power System Protection Act of 2008,” would likely be introduced by Rep. Rick Boucher, the Virginia Democrat who chairs the Subcommittee on Energy and Air Quality.
The bill would expand FERC’s authority through an amendment to the Federal Power Act.
Following a classified briefing next week, Boucher hopes that the subcommittee will be able to bring the bill to markup by the end of next week. Boucher is optimistic that the bill will pass through the full committee and make it to a floor vote before the election-shortened session ends.