Congress mobilizes on cyber threats to electric grid

Congress mobilizes on cyber threats to electric grid
© iStock

Lawmakers are zeroing in on the potential for foreign cyberattacks to take down the U.S. electric grid, with members in both chambers pushing hearings and a flurry of bills to address the issue. 

Congressional interest in the issue is growing following reports that Iran has stepped up its cyberattacks against U.S. critical infrastructure, and as Trump administration officials cite threats from Russia and China against the electric grid.

A House Energy and Commerce subcommittee focused on threats to the grid during a hearing on Friday, as lawmakers look to get ahead of the issue.

ADVERTISEMENT

“We know our enemies are rapidly developing new techniques to compromise and attack our grid, so it is vitally important that the federal government and the electric industry remain vigilant in ensuring the grid is secure,” said Rep. Frank Pallone Jr.Frank Joseph PalloneKey House and Senate health leaders reach deal to stop surprise medical bills Overnight Health Care — Presented by Johnson & Johnson – House progressives may try to block vote on Pelosi drug bill | McConnell, Grassley at odds over Trump-backed drug pricing bill | Lawmakers close to deal on surprise medical bills Key negotiator says deal close on surprise medical bills legislation MORE (D-N.J.), chairman of the full committee.

The hearing featured testimony from witnesses including Karen Evans, the assistant secretary of the Department of Energy’s (DOE) Office of Cybersecurity, Energy Security, and Emergency Response. Evans confirmed the issues faced by the energy grid, saying that “the frequency, scale and sophistication of cyber threats continue to increase.”

Evans highlighted the 2019 Worldwide Threat Assessment published by the Office of the Director of National Intelligence (ODNI) earlier this year on the threat.

The assessment found that Russia not only has the ability to execute cyberattacks against the U.S. electric grid, but is also “mapping our critical infrastructure with the long-term goal of being able to cause substantial damage.” 

On China, the ODNI warned that the country “has the ability to launch cyber attacks that cause localized, temporary disruptive effects on critical infrastructure.”

Recent analysis has also shown that Iran is stepping up cyberattacks against the U.S., drawing the attention of Trump officials. Christopher Krebs, the director of the Department of Homeland Security’s cybersecurity agency, said in a statement that officials "will continue to work with our intelligence community and cybersecurity partners to monitor Iranian cyber activity, share information and take steps to keep America and our allies safe."

The array of threats has Congress taking notice, and lawmakers from both parties have introduced a number of bills to combat cyber threats to the energy sector.

The House Energy and Commerce Committee had led the way, with the panel planning to hold a markup in the coming week of several cyber bills designed to secure the grid, according to Energy Subcommittee Chairman Bobby RushBobby Lee RushHillicon Valley: Progressives oppose funding bill over surveillance authority | Senators call for 5G security coordinator | Facebook gets questions over location tracking | Louisiana hit by ransomware attack Progressives oppose spending stopgap measure over surveillance authority extension 50 Cent meets with Pelosi, lawmakers on Capitol Hill MORE (D-Ill.). 

Rush's subcommittee already cleared four cyber bills, including the Enhancing Grid Security through Public-Private Partnerships Act, which would enable DOE to provide cyber support to utilities that the secretary of Energy deems are at risk from cyberattack, and the Cyber Sense Act, which requires DOE to test the cybersecurity of products used in the power grid. 

The other bills awaiting consideration by the full committee are the Energy Emergency Leadership Act and the Pipeline and LNG Facility Cybersecurity Preparedness Act. The first bill would require the DOE secretary to assign energy emergency and security functions to an assistant secretary, while the second would require DOE to examine the cybersecurity of pipelines and liquified natural gas facilities. 

All four bills have bipartisan support. Energy subcommittee ranking member Fred UptonFrederick (Fred) Stephen UptonShimkus says he's reconsidering retirement Shimkus says he's been asked to reconsider retirement Trump urges GOP to fight for him MORE (R-Mich.), a sponsor of one of the bills, emphasized to The Hill on Friday that members of the committee are “on the same page” in acknowledging threats to the electricity sector. “We want to make sure that every tool is utilized to prevent anything bad from happening,” he added.

Other panels are at work as well. The House Science, Space and Technology Subcommittee on Energy will hold its own hearing on Wednesday focused on “modernizing and securing our nation’s electricity grid.” 

A committee spokesperson said Evans will also testify at the hearing, along with officials from energy groups around the country. The spokesperson added that the hearing will “serve as a forum for experts to inform and give recommendations” on next steps around energy cybersecurity.

On the other side of Capitol Hill, the Senate Energy and Natural Resources Committee is also moving on the issue, with plans to mark up the Securing Energy Infrastructure Act on Tuesday. This bill, sponsored by Sens. Angus KingAngus KingHillicon Valley: FTC rules Cambridge Analytica engaged in 'deceptive practices' | NATO researchers warn social media failing to remove fake accounts | Sanders calls for breaking up Comcast, Verizon Bipartisan senators call on FERC to protect against Huawei threats Hillicon Valley: House passes anti-robocall bill | Senators inch forward on privacy legislation | Trump escalates fight over tech tax | Illinois families sue TikTok | Senators get classified briefing on ransomware MORE (I-Maine) and Jim RischJames (Jim) Elroy RischHillicon Valley: FTC rules Cambridge Analytica engaged in 'deceptive practices' | NATO researchers warn social media failing to remove fake accounts | Sanders calls for breaking up Comcast, Verizon Bipartisan senators call on FERC to protect against Huawei threats Senate panel to vote on Turkey sanctions next week MORE (R-Idaho), would establish a two-year pilot program within DOE’s national laboratories to identify the security vulnerabilities faced by energy sector entities. 

King’s office noted that the bill was inspired by the 2015 incident in Ukraine, when a cyberattack on the country's grid shut down power for more than 225,000 people. The legislation passed the Senate last year, but the then-Republican House did not take action on it.

A companion measure was introduced in the House in February by Rep. Dutch RuppersbergerCharles (Dutch) Albert RuppersbergerLawmakers toast Greta Van Susteren's new show Hillicon Valley: Senate passes bill to boost cyber help for agencies, businesses | Watchdog warns Energy Department failing to protect grid | FTC sues Match for allegedly conning users Senate approves bill to boost cyber assistance for federal agencies, private sector MORE (D-Md.), where it awaits action in the Science, Space and Technology Committee. 

Separately, Sens. Cory GardnerCory Scott GardnerHere are the Senate Republicans who could vote to convict Trump GOP senators unveil bill to expand 'opportunity zone' reporting requirements Overnight Health Care: House to vote next week on drug prices bill | Conway says Trump trying to find 'balance' on youth vaping | US spent trillion on hospitals in 2018 MORE (R-Colo.) and Michael BennetMichael Farrand BennetKey House and Senate health leaders reach deal to stop surprise medical bills Bloomberg on 2020 rivals blasting him for using his own money: 'They had a chance to go out and make a lot of money' Senators want FERC to protect critical infrastructure from Huawei threats MORE (D-Colo.) last week introduced the Enhancing State Energy Security Planning and Emergency Preparedness Act, which would authorize DOE to provide financial assistance to states to develop or revise state energy security plans. The senators also introduced companion legislation to the Enhancing Grid Security through Public-Private Partnerships Act. 

Energy sector groups have largely been supportive of the bills, but worry there are some issues Congress has failed to address.

Scott Aaronson, the vice president of security and preparedness at the Edison Electric Institute, told The Hill that many electric companies are looking for Congress to designate “some liability protection” in regards to cyberattacks on the grid. 

“We want to be supportive but we also want to protect our customers and our infrastructure,” Aaronson said on congressional efforts to secure the grid.

And there are other lingering questions.

Richard Mroz, senior adviser on state and government relations at Protect Our Power, said a serious roadblock to legislation to secure the grid is concern over costs. 

“One challenge industry and regulators have is what is this all going to cost, and it isn’t quite clear what those costs are yet,” Mroz told The Hill. “Consumers need to understand that to protect these systems, it’s going to cost something.”

But Mroz underlined the overall threats to the grid and the urgency facing lawmakers. He warned that despite industry's efforts, in a worst-case scenario a cyberattacker could hack into a control system and endanger civilians.

“That is the issue, that an adversary could remotely turn off the power plant, turn off the wastewater treatment system, turn off the pumps or the switches for our cell tower,” Mroz said.