Public interest groups and think tanks have for years been sounding the alarm on critical cybersecurity weaknesses that could bring the U.S. electric grid to a grinding halt.
Awareness of grid security has crept into the American subconscious as people have seen more and more news reports that read like spy novels—Russian and Chinese hackers with quirky names like “Energetic Bear” and “UglyGorilla” launching malware attacks and gathering sensitive information that could be used in cyber warfare to shut down electric lines or power plants.
According to a Morning Consult poll, 75 percent of voters think there’s at least a 50-50 chance that the energy industry will be the target of a major cyber attack within the next few years. But most think the situation is being handled. Almost half—49 percent—think the sector is “somewhat prepared,” and another 10 percent say it is “very prepared.” On the other hand, nearly a third—31 percent—say the industry is “not too prepared” and another 10 percent say it isn’t prepared at all.
“I think that comes under the category of hope springs eternal,” says Thomas Popik, an engineer with the Foundation for Resilient Societies who has been pushing for tougher standards. “Most Americans are concerned with the daily aspects of their lives—they don’t have time to be an expert in cyber vulnerability, and they oftentimes have the hope that government authorities would have protected them.”
The House passed three bills last month to help the Department of Homeland Security deal with cyber threats, and the Senate Intelligence panel approved legislation that would give liability protections to companies that share cyber threat information with the federal government, Bloomberg BNA reported.
But so far, amid gridlock and leading up to the November election, Congress has been unable to pass the information-sharing legislation that experts say is key. And critics say federal regulators have moved too slow and been too lax in instituting the industry standards Congress required years ago.
In 2005, Congress passed a law requiring the energy industry to institute certain cybersecurity protections, including for at-risk communications networks. The Federal Energy Regulatory Commission has approved and asked for changes to multiple iterations of proposals from the industry-run standards-setting agency, the North American Electric Reliability Corporation. Nine years later, Popik says people would be shocked to realize the rules are still a work in progress. His New Hampshire nonprofit has been especially concerned that the most recent version does not require the electric industry to protect against cyber threats when using public networks like the Internet to send messages to power plants.
Popik argues FERC commissioners have been unwilling to use their authority and Congress hasn’t stepped in.
“We have a situation where the Senate Energy Committee is lagging behind the American public in its perception of the gravity of these threats,” Popik says.
But the electric industry would argue companies are taking steps on their own to protect critical infrastructure and federal agencies are helping too.
NERC operates the Electricity Sector Information Sharing and Analysis Center, which is described as a sort of clearinghouse for information on electric sector security.
The Department of Homeland Security runs the U.S. Computer Emergency Readiness Team (US-CERT), which keeps the business community apprised of major threats. It also manages the National Cybersecurity and Communication Integration Center. And DHS and DOE are pursuing other programs that would allow real-time information-sharing between companies.
Paul Tiao, a lawyer with Hunton and Williams who advises energy firms on cybersecurity, says utilities are “taking this incredibly seriously.”
“It’s nice to see the public getting the message,” Tiao said. The energy industry may have a way to go though. While 59 percent of those polled think the energy industry is “somewhat prepared” or “very prepared” for a cyber attack, voters seemed to have more faith in the financial sector’s ability to handle threats. More people—15 percent—said financial institutions are “very prepared,” while 54 percent said they are “somewhat prepared.”
Tiao thinks increased public attention overall could mean more attention from Congress, even if people think the government has address safety.
While there are a number of changes the energy industry would like to see from the federal government, stakeholders have been quick to warn that too much regulation might make it difficult for them to act quickly in an emergency.
A 171-page report last month from a former White House chief of staff and former Homeland Security secretary called on Congress to act and also made suggestions for the executive branch and energy companies. But it advised against more regulatory action.
“Based on the varied legislative proposals there are political questions about the ability of NERC to ensure the needed security standards,” the report says. “During this project’s discussions with participants from government and the utility industry, as well as our research, it was found that further regulatory actions resulting from legislative action may be counterproductive.”
Echoing a common industry argument, the report says a “regulatory hammer” could hamper these efforts and “reduce trust between utilities, their regulators, and policymakers.”
Despite high public awareness, both sides agree that a big attack may spur action faster.
Because Congress seems to be at an impasse, “we may not get legislation unless there’s a major incident,” Tiao says.
Popik takes things a step further. “The emerging consensus is that we will not be able to move beyond these enormous deficiencies in cyber protection, physical protection, protection against solar storms, until we actually have a calamity,” he says.