By Jeff Beattie
Spurred on by a recent audit showing widespread utility noncompliance with voluntary recommendations meant to protect the grid from cyber attacks, key lawmakers have unveiled plans to give the Federal Energy Regulatory Commission (FERC) broad powers to enact new mandatory measures to close vulnerabilities in the U.S. bulk power system to potentially devastating computer-launched assaults.
Cyber Security Hawks
At a recent hearing of the House Energy and Air Quality subcommittee, lawmakers and expert witnesses agreed that FERC and other federal agencies need more authority to protect against cyber threats that studies have shown can wreak havoc on the nation’s power plant and grid systems, which are largely controlled through computers.
The panel’s chairman, Rep. Rick Boucher (D-Va.), is moving quickly: He has introduced draft legislation on the subject; held a closed-door subcommittee briefing with intelligence agencies; and is aiming for a mark-up of the draft legislation. Specifically, the bill would authorize FERC to issue an order or rulemaking within four months with new mandatory standards designed to block cyber attacks based on known threats.
It would also let FERC issue emergency orders to protect against fast-breaking “imminent” cyber-security or other national threats to the grid, subject to approval of either the president or the secretary of the Energy Department.
Imminent Threat to Security
Boucher and other lawmakers and witnesses were nearly unanimous at the hearings that the threat of computer-based attacks on the grid is real and that portions of the nation’s bulk power system remain disturbingly exposed. In particular, Boucher cited a recent FERC audit that looked at how thoroughly 30 utilities complied with a cyber-security advisory issued last year by the North American Electric Reliability Corp. (NERC), the FERC-regulated watchdog over reliability on the U.S. and Canadian power grid.
NERC issued the advisory last fall after news leaked of a Department of Homeland Security experiment that showed a generator could be destroyed by hacking into the grid. Dubbed “Aurora,” that test dramatically hiked lawmakers’ concerns about the vulnerability of the nation’s power systems—and thus the economy at large—to a malevolent hacker, a more organized cyber-attack by terrorists, or some form of destructive computer error. You can watch the simulation here.
Many Not in Compliance
However, Boucher said the FERC audit showed that 23 of 30 utilities were still not in compliance with the NERC advisory.
“One utility reportedly had a 10-year compliance schedule, and another had never changed the factory-installed user names and passwords” on certain software, he said.
Boucher added: “FERC reports 20 documented cases where hackers penetrated networks and were able to affect controls on dams, a nuclear reactor, and disabled backup generation and shut down power plants.
“While none have yet resulted in major known problems to the U.S grid or generation equipment, cyber attacks have caused major grid outages in other nations,” he added.
Under questioning from the subcommittee, FERC Chairman Joseph Kelliher described actions that his agency might take in response to an imminent threat to the grid, including requiring generators to promptly boost the amount of output that could be called upon quickly if FERC were concerned that an attack might take generation elsewhere off-line.
Interestingly, Kelliher said FERC has already issued an order designed to combat one of the grid’s major vulnerabilities—possible attacks on transformers, which are expensive and time-consuming to replace and are not widely stockpiled in the U.S.
Kelliher said FERC has approved a cost-recovery system for regulated utilities to purchase spare transformers. However, he acknowledged it is not yet clear if that has produced more back-up supplies.
The other government witness, Kevin Kolevar, assistant secretary for electricity delivery and energy reliability at the Energy Department, was equally alarming in describing the level of threat to U.S. power systems. “The Department of Energy regularly discovers new vulnerabilities in the control systems employed by many utilities,” Kolevar said in his written statement. “This is not hyperbole—let me assure you that cyber attacks against control systems have occurred and they are becoming increasingly sophisticated.”
But while the DOE supports giving FERC heightened powers to guard against cyber attacks on the grid, the department wants an additional role for itself, Kolevar said.
Whereas Boucher’s draft bill reflects Kelliher’s request that FERC be able to issue emergency orders in the face of an “imminent” grid threat, the DOE also wants similar authority that is not included in the draft legislation.
“In the case of an imminent threat to the bulk power system, [Congress should] allow the Department of Energy to issue an order for immediate remedial action” to stand until the new permanent FERC cyber-security measures are in place, says Kolevar’s written testimony.
Talking to reporters afterward, Kelliher downplayed the question of which agency would have the primary authority in the face of an imminent cyber-threat, calling it a “shade of grey, not a remarkable difference.” The DOE is saying that “both [agencies] should have emergency powers,” he said.
Importantly, as written, the draft bill would only apply to the U.S. “bulk power system,” which by definition excludes transmission lines in Alaska and Hawaii and on federal facilities. It also excludes distribution systems in metropolitan areas that could be vulnerable to attack.
As the bill is tweaked, Boucher said lawmakers will consider whether to expand FERC’s traditional authority to cover some of those systems, too, for the purposes of cyber-security.