Action on electrical grid cybersecurity is needed

What is the most urgent challenge facing the electric power sector today? Ask four experts and you may hear five different answers. Many of these answers focus on long-term challenges and undertakings: building a smarter grid, integrating renewable generation or increasing customer choice in how they use their electricity.

All these long-term initiatives, though, require a national electric grid that is reliable and secure. The electric grid serves more than 143 million American customers and has to operate without interruption every moment of every day to transfer electricity affordably across the nation. It also is a key foundation of our national security. Department of Defense installations rely on commercial power for nearly 99 percent of their power needs. Because our grid is highly interconnected, a line outage or system problem in one region can adversely affect system reliability in other regions.

ADVERTISEMENT
As utilities across the country progressively interconnect generating resources and upgrade transmission and distribution systems, they increasingly rely on highly automated digital controls and digital communications to control the flow of electricity. While this modernization of the grid is helping to make power more affordable and create new products and services for electric customers, it also introduces new security concerns. A newer, smarter grid includes devices and connections that create avenues for intrusion, malicious attacks and other threats.

Designing and operating an electric system that prevents cybersecurity events from having a catastrophic impact on the grid is the challenge we must address. Members of the Senate Committee on Energy and Natural Resources have tried to do just that by voting unanimously on May 26 to approve a bill (S.1342, the Grid Cyber Security Act) that addresses cybersecurity of the nation’s critical electric infrastructure. 

The Grid Cyber Security Act takes two significant steps, building on the existing legal framework for addressing grid reliability. First, it grants the secretary of energy the authority to order utilities to take actions to protect critical electric infrastructure against imminent cybersecurity threats. This fills a massive security gap, as no federal official has authority to act in such instances. This provision is broadly supported by the utility industry and the North American Electric Reliability Corporation, the entity charged under current law with developing standards for grid reliability.

Second, the bill provides that the Federal Energy Regulatory Commission and the NAERC will cooperate in addressing weaknesses that may expose electric infrastructure to cybersecurity threats. It is structured to preserve the established roles of industry and government in addressing cybersecurity vulnerabilities. Both roles are significant, given the level of private ownership of the grid and sophisticated and ever-evolving threat environment.

I hope Congress can take up this legislation soon, in conjunction with whatever cybersecurity legislation can emerge from other Senate committees. The director of national intelligence recently told the House Permanent Select Committee on Intelligence that in 2010 almost two-thirds of U.S. firms reported cybersecurity incidents or information breaches. Furthermore, in 2010, cyberattacks specifically targeted energy infrastructure or systems upon which energy infrastructure relies. The so-called “Night Dragon” attacks were directed at global oil, energy and petrochemical companies with the apparent intent of stealing sensitive information. The Stuxnet worm appears to have been created specifically to attack industrial control systems that are widely used in electric power plants and other important infrastructure. According to information security experts, Stuxnet represented one of the most complex cybersecurity threats analyzed to date, and may well serve as a blueprint for future attacks.

The Energy Committee bill represents the latest iteration of electric grid cybersecurity legislation in the Senate. The committee has reported cybersecurity legislation three times over the past two years, each time incorporating changes based on the latest stakeholder input. The threat environment continues to evolve, highlighting the need to move this and other cybersecurity initiatives forward. All of us want to put in place protections to forestall attacks that could result in widespread electricity outages and the accompanying economic damage and human suffering.

Robust collaboration between the public and private sectors has been a hallmark of the electricity industry. This vibrant working relationship will be a critical asset as government and industry move forward in developing security measures for our electric grid. As the Senate works to address cybersecurity legislation, I hope my colleagues recognize how important the electric grid is to our national well-being and the longstanding roles of government and industry in protecting it.


Bingaman is the chairman of the Senate Energy and Natural Resources Committee.