Electric utilities in the U.S. are barraged with cyber attacks and most utilities comply with mandatory cyber security standards, but the standards setting process is slow and in the case of employing voluntary security standards most of these organizations don’t bother, according to a report released by two Democratic congressmen.
“National security experts say that cyber attacks on America’s electric grid top the targets list for terrorists and rogue states, yet we remain highly vulnerable to attacks,” says Rep. Ed Markey )D-Mass.), a member of the House Energy and Commerce Committee. “We need to push electric utilities to enlist all of the measures they can now, and push for stronger standards in Congress that will keep our economy and our country safe from cyber warfare.”
The report, Electric Grid Vulnerability: Industry Responses Reveal Vulnerability Gaps, was prepared by the staff of Markey and Rep. Henry Waxman (D-Calif.), ranking member of the Energy and Commerce Committee.
Based on responses the staff received from investor-owned, municipal, rural cooperative utilities, and federal entities with ownership stakes in bulk power distribution, the report says more than a dozen utilities face daily, constant or frequent types of cyber attacks with one utility reporting it is the target of 10,000 attempted attacks each month. None of the utilities reported damage to any of their cyber assets, the report says.
The report says almost all utilities comply with mandatory cyber security standards established by the non-profit North American Electric Reliability Corporation (NERC), which develops and enforces reliability standards that are imposed by the Federal Energy Regulatory Commission (FERC). NERC is overseen by FERC. On the other hand, the report says of responses to a question regarding compliance with voluntary standards against the Stuxnet computer virus, 21 percent of the investor-owned utilities, 44 percent of municipal or cooperative-owned utilities, and 63 percent of federal entities reported compliance.
Setting standards can take years and for them to become mandatory requires approval by at least two-thirds of NERC’s membership, the report says. For example, it notes that the most recent critical infrastructure standards took NERC 43 months to develop and submit to FERC for approval.
“Such timeframes are not well suited to address rapidly evolving grid security vulnerabilities,” the report says.
The report also says that even though the NERC has been given approval to develop procedures to accelerate standards development in case of national emergency situations, the procedures must be arrived at by consensus. However, it says that when NERC had the opportunity to turn 25 recommended measures into mandatory standards related to remote access to assets, all of them were voted down by industry.
The report was undertaken to help inform Congress and generate support for legislation to protect the electric grid. The GRID Act (H.R. 5026) was unanimously approved by the Energy and Commerce Committee in 2011 and subsequently by voice vote in the House but the Senate never acted on the bill. The report says that Republicans have not supported reintroduction of the bill.