Electric utilities in the United States are barraged with cyber attacks and most comply with mandatory cyber security standards, but the standards setting process is slow and in the case of employing voluntary security standards most of these utilities don’t bother, according to a report released this week by two Democratic congressmen.
“National security experts say that cyber attacks on America’s electric grid top the targets list for terrorists and rogue states, yet we remain highly vulnerable to attacks,” Rep. Ed Markey (D-Mass.), a member of the House Energy and Commerce Committee, said in a statement accompanying the release of the report. “We need to push electric utilities to enlist all of the measures they can now, and push for stronger standards in Congress that will keep our economy and our country safe from cyber warfare.”
The report, Electric Grid Vulnerability: Industry Responses Reveal Vulnerability Gaps, was prepared by the staff of Markey and Rep. Henry Waxman (D-Calif.), ranking member of the Energy and Commerce Committee.
Based on responses the staff received from investor-owned, municipal, rural cooperative utilities, and federal entities with ownership stakes in bulk power distribution, the report says more than a dozen utilities face daily, constant or frequent types of cyber attacks with one utility report it is the target of 10,000 attempted attacks each month. None of the utilities reported damage to any of its cyber-assets, the report says.
The report says almost all utilities comply with mandatory cyber security standards established by the non-profit North American Electric Reliability Corporation (NERC), which develops and enforces reliability standards, and imposed by the Federal Energy Regulatory Commission (FERC), which oversees NERC. On the other hand, the report says of responses to a question regarding compliance with voluntary standards against the Stuxnet computer virus, 21 percent of the investor-owned utilities, 44 percent of municipal or cooperative-owned utilities, and 63 percent of federal entities reported compliance.
Setting standards can take years and for them to become mandatory requires approval by at least two-thirds of NERC’s membership, the report says. For example, it notes that the most recent critical infrastructure standards took NERC 43 months to develop and submit to FERC for approval.
“Such timeframes are not well suited to address rapidly evolving grid security vulnerabilities,”
The report was undertaken to inform help inform Congress and generate support for legislation to protect the electric grid. The GRID Act (H.R. 5026) was approved unanimously by the Energy and Commerce Committee in 2101 and subsequently by voice vote in the House but the Senate never acted on the legislation. The report notes that Republicans have not supported reintroduction of the bill.