Protecting the Electric Grid from Cyber-Security Threats

On Thursday 9/11/08, the Subcommittee on Energy and Air Quality (of the Committee on Energy and Commerce) held a hearing on the state of Cyber Security with respect to the electric grid. FERC, NERC, and APPA were represented. The focus is taking drafted legislation forward to provide FERC more cyber security emergency authority to address new and often rapidly developing cyber security risks.

Protecting the Electric Grid from Cyber-Security Threats
Subcommittee on Energy and Air Quality
Committee on Energy and Commerce
- 9/11/2008 testimony, audio, and drafted legislation

CSPAN Video now available (requires Realmedia player)

Opening comments emphasized views that the risk is increasing with at least twenty incidents of cyber security problems impacting electric systems service. There’s a strong concern in addressing underlying control systems, vital to reliable service, given growing risk with increasingly interconnectivity and use of widely available technology. The risk picture will continue to be developing with the trends toward Smart Grid and other control system dependent technology developments.

FERC Interviews. Testimony emphasized FERC findings from interviews with 30 utilities – including particular actions taken to address NERC voluntary Aurora Vulnerability advisory in 2007:

• Of the 30, seven were viewed as in full compliance with the advisory.
• All took some steps - one still still using all default passwords, another had a 10 year plan.
• Only 2 went sufficiently far enough to fully address the Aurora vulnerability.
• A number of organizations shrunk scope too small - not sufficiently addressing critical assets/facilities that can affect the bulk electric system.
• Cost estimates addressing the Aurora Vulnerability were not gathered in the process- but viewed as important by the committee with FERC in agreement- more relevant going forward.

The conclusion- self-interest alone is not sufficient for most utilities to take appropriate actions to specifically address the Aurora Vulnerability. This situation fueling strong congressional concerns about how well the regulators and utilities are addressing overall cyber security risk.

Existing FERC/NERC regulatory mechanisms are viewed as insufficient, either lacking enforcement strength (e.g. voluntary NERC Advisories) or take too long following 215 process. APPA emphasized cooperation with FERC staff in developing drafted legislation giving DOE/FERC emergency order making powers address cyber security issues- with still a few remaining points in disagreement.