By Calvin Biesecker
The nation’s approach to reducing the electric industry’s cyber security vulnerabilities remains “disorganized” and “ineffective,” according to the chairman of a House panel, who said he isn’t “confident” about the country’s ability to deal with cyber threats.
“The federal government and the private sector must act with a sense of urgency to address these issues, and yet, as I read today’s testimony, I still do not get the sense that we are addressing cyber security with the seriousness it deserves,” Rep. James Langevin (D-R.I.), chairman of the House Homeland Security Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, said in his opening statement yesterday.
The hearing provided an update from the Federal Energy Regulatory Commission (FERC), which is responsible for overseeing the reliability of the nation’s bulk power system, and the North American Electric Reliability Corp. (NERC), which in turn ensures the reliability of the bulk power system in North America, on recent efforts to improve cyber security for the electric industry. The hearing also examined two new reports by the Government Accountability Office about an investigation by the government auditors into cyber security controls at the Tennessee Valley Authority, the nation’s largest public power company serving 8.7 million people.
Langevin criticized NERC for proposing “inadequate” cyber security standards.
In January of this year FERC approved eight mandatory Reliability Standards for Critical Infrastructure Protection, all addressing cyber security.
“The standards are intended to ensure that the electric industry will devote the necessary resources to securing control systems and related cyber assets,” Richard Sergel, president and CEO of NERC, said at the hearing. He added that the standards require “progressive and continuous improvement,” which is underway.
NERC had planned to review the standards early next year but will now accelerate that to address changes directed by FERC, Sergel said.
The standards will not eliminate cyber threats to the nation’s power grid, Sergel said. That will require “vigilance,” he added.
Several improvements have been made to the nation’s cyber alert system. For example, NERC has a formal mechanism for alerting the electric industry about possible threats, Sergel said. NERC also has a contact list for all 1,800 owners, operators and users of the bulk power system, he said. Finally, he said, it is mandatory to coordinate with FERC on the alerts.
Joseph Kelliher, chairman of FERC, said existing laws are “adequate” for providing the basis to protect the bulk power system against most reliability threats but that their needs to be a mechanism specifically tailored to cyber threats. He said allowing FERC to establish interim reliability standards that are mandatory and enforceable if a national security or intelligence agency believes there is a threat to the bulk power system would be one way to more quickly address cyber security threats while permanent reliability standards are created.
“At the same time reliance on a voluntary alert issued by NERC similarly does not provide adequate assurance that steps will be taken in sufficient time to address a know vulnerability,” Kelliher said. “Given the national security dimensions to the cyber security threat, there may be a need to act quickly to protect the bulk power system, to act in a manner where action is mandatory rather than voluntary, and to protect certain information from public disclosure. Our legal authority is in adequate for such action.”