By Jeff Beattie
The Federal Energy Regulatory Commission (FERC) is seeking authority to require that utilities take mandatory measures to guard against cyber-threats or other attacks on the U.S. electric grid, largely because the agency thinks U.S. utilities’ voluntary response to the so-called “Aurora” threat in 2007 was inadequate, FERC’s top security official told lawmakers Tuesday.
Joseph McClelland, director of FERC’s Office of Electric Reliability, pushed for the new federal authority partly by criticizing industry’s response to an advisory on the “Aurora” vulnerability, the name given to a 2006 experiment in which Energy Department researchers showed it was possible to hack into a generator’s control system and destroy the plant.
“Congress asked the commission to verify…compliance with the Aurora advisory, and on that basis I would answer the question that no, compliance is not sufficient, and the commission reached the conclusion that only if it can be compelled will we be able to assure that compliance has been executed,” McClelland told the energy and environment panel of the House Energy and Commerce Committee.
McClelland was one of several witnesses testifying on current measures to guard against computer-launched attacks on the grid and on two bills–from the House Energy and Commerce Committee and Homeland Security Committee–that would give FERC or DoE new power to order utilities to take protective steps against them.
The sole utility executive speaking at the hearing objected to McClelland’s claim that utilities responded inadequately to specific guidance on the Aurora threat. The executive also said utilities have not been given specific “actionable” guidance on cyber-security threats.
“The industry does not agree that the information [in the Aurora advisory] was specific and actionable, and what we would like to do is submit something for the record for the committee’s benefit,” John DiStasio, general manager and chief executive officer of Sacramento Municipal Utility District, said at the end of the hearing.
“There is a point of disagreement on that,” he told a reporter shortly afterward.
Indeed, McClelland offered almost the opposite assessment in earlier comments, saying the Aurora advisory “contained sufficient information and detail..for folks to be able to perform mitigation.”
While views differed on utilities’ response to the Aurora threat, lawmakers and witnesses were unanimous Tuesday in their concern about the threat of computer hackers or other malicious attacks bringing down the U.S. grid, which is being increasingly tied to the Internet through smart grid and other modernization initiatives.
“This past Thursday, I was joined by a number of other members at a classified briefing on grid security,” said Rep. Edward Markey (D-Mass.), chairman of the environment and energy subcommittee.
“I assure you, the vulnerabilities of the grid are every bit as urgent as the weaknesses in transportation security that were so tragically revealed by the events of September 11th [2001]. A coordinated attack on the grid could literally shut down the U.S. economy, putting lives at risk and costing tens of billions of dollars.”
Markey is the co-sponsor of a bill (H.R. 2165) that would give FERC new authority in the event of an imminent cyber-security threat. Lawmakers Tuesday mulled that bill against somewhat more broad legislation (H.R. 2195), introduced in April by House Homeland Security Committee Chairman Bennie Thompson (D-Miss.).
The Senate is significantly further along in crafting a new grid protection law. Over the summer, the Senate Energy and Natural Resources Committee approved language that would direct FERC to issue rules or orders requiring utilities to address cyber-security vulnerabilities. It also enables the DoE secretary to order utilities to take certain mitigating steps in the event of an imminent threat.
H.R. 2165 would empower FERC to order utilities to take interim measures if the president declared an imminent cyber-security threat. As far as longer-term vulnerabilities, the bill would let FERC impose new standards only to address that Aurora threat or “related remote access issues.”
By contrast, H.R. 2195 directs FERC to issue orders–addressing both vulnerabilities and immediate threats–that it deems necessary to protect the grid. Those powers would be triggered whenever the Department of Homeland Security says “a significant cyber-vulnerability or threat to critical energy structure has been identified.”
One of the thorniest issues facing lawmakers is whether to extend any new federal authority on grid protections beyond the bulk power system–FERC’s historic jurisdiction–and into electric utility distribution systems, traditionally the purview of state regulators.
H.R. 2165 would specifically limit new federal authority to the U.S. bulk power system, while H.R. 2195 and the Senate bill would expand FERC authority to cover “critical energy assets,” including distribution.
For his part, Markey argued forcefully Tuesday that any new grid protection authority given to the federal government should extend to the distribution system, arguing that those local lines are “intricately intertwined” with bulk power lines and that to bifurcate the two systems made little sense in trying to protect against grid attacks.
McClelland also suggested that, particularly with new smart grid applications creating greater exposure on distribution lines, any new federal authorities on cyber-security and other grid threats should be extended to local lines as well.
Interestingly, however, the federal watchdog on grid reliability, the North American Electric Reliability Corp. (NERC), suggested Tuesday that such an expansion would not be effective.
“For us, it is matter of priorities: The consequences are most profound at the bulk system level…and that’s where we believe our focus ought to be,” said NERC Vice President and General Counsel David Cook.