By former Reps. Dave Hobson (R-Ohio) and Bud Cramer (D-Ala.) - 10/08/14 06:00 AM EDT
With the looming threat of the Islamic State in Iraq and Syria (ISIS) and other potential aggressors to the United States, there is growing concern about another terrorist attack on American soil.
There are many targets to be concerned about, but the nation’s electric grid deserves special attention. Electricity is essential to the economy, and indeed life as we know it, ensuring delivery of food, medical care, transportation and government services.
One area where the partnership has demonstrated effectiveness is in reliability. Since 2005, the electric utility industry has operated under a mandatory federal reliability regime — the only critical infrastructure sector to do so. The industry works with the North American Electric Reliability Corp. (NERC), a nonprofit entity chosen by the Federal Energy Regulatory Commission (FERC) to help send electrons where they need to go. NERC develops mandatory reliability standards, which must be approved by FERC before being implemented. NERC enforces those standards through regular monitoring and compliance audits, and fines can reach up to $1 million per day.
But fines after the fact are not enough. The government and utility industry must keep several steps ahead of attackers. Entities such as the Electricity Sub-Sector Coordinating Council, composed of senior industry and government security officials, and the Electricity Sector Information Sharing and Analysis Center, help facilitate information sharing about threats and how to respond. But when it comes to cyber threats to the grid, more can be done to enhance information flow between industry and federal agencies — in both directions — about vulnerabilities and attacks.
Some of that occurs now, but unfortunate legal and bureaucratic barriers persist. The Senate and President Obama should work on the House-passed Cyber Intelligence Sharing and Protection Act and the Senate’s Cyber Information Sharing Act, which remove these barriers, and make it the law of the land so those protecting the grid can stay on offense.
From an operational perspective, specific assets on the grid must receive protection according to their essential functions. This approach was codified following the sniper attack on the Metcalf substation in California last year. FERC ordered NERC to develop physical security standards that require utilities to identify critical assets and develop security plans, approved by independent third parties, to protect them. FERC issued a proposed rule-making in July to approve NERC’s proposed standard with minor modifications.
As threats grow more complex, the industry and government must adapt accordingly and understand their evolving roles in protecting the grid. The industry is best suited to manage and defend against localized threats, using a combination of preparation, prevention, response and recovery, or what is more commonly referred as the “defense-in-depth” security posture. Working closely with local law enforcement agencies, industry security experts are shoring up defenses for substations and other assets. Of course, the power industry can’t stop every attack, so ensuring grid resiliency — keeping the lights on — after an attack occurs is essential.
Much attention has focused lately on larger threats to the grid and to U.S. national security. Electromagnetic pulses, or EMPs, constitute a real danger, not only to reliability, but to our basic way of life. Security experts are specifically concerned with hostile nation states detonating a nuclear device in low orbit over the U.S., which could destroy major elements of the grid’s capacity.
EMPs raise a basic question: Who is responsible for dealing with them? Again, both the federal government and the industry have specific roles to play. Given the widespread harm a nuclear EMP poses to the U.S., the federal government must assume the principal role in defending the homeland against what amounts to an act of war. Utilities, on the other hand, are working to make spare transformers and other grid components available so that power can be restored as quickly as possible if an attack of this kind occurs.
As important, the government and businesses must determine, as best they can, the probability of threats. While a nuclear EMP is something we should take seriously, it is a high-consequence but low probability event. By comparison, a cyberattack on the U.S. grid might cause less long-term damage to facilities and equipment, but most experts consider a cyberattack far more likely than an EMP attack. Through intelligence gathering and analysis, the U.S. government can help industry understand the nature of these various threats to the grids and the relative likelihood of these threats being realized, so that the industry can prioritize and prepare accordingly.
Whether it’s a cyberattack, an EMP or some other attack, the federal government-industry grid security partnership is essential to keeping the lights on. It is by no means perfect, so changes can be made to make it work better. With new threats emerging all the time, we must be flexible and proactive in how we prepare and respond to protect the grid and our way of life.
Hobson and Cramer each served in the House from 1991 to 2009. While in Congress, they worked together as senior members of the Appropriations’ Defense Subcommittee.