March 29, 2017
By Blake Sobczak
Senators of all political stripes voiced support yesterday for exploring new strategies to thwart cyberattacks on the U.S. power grid, including a plan for keeping the lights on without relying on the internet.
Sen. Angus King (I-Maine) urged electricity sector experts to consider whether "back-to-the-future answers" — such as manual backup operations at critical points in the power grid — "might protect us from the kind of attack that we know is coming.
"This qualifies as an emergency, and I hope we can act promptly," King said at a Senate Energy and Natural Resources Subcommittee on Energy hearing yesterday, as he called for a $10 million, two-year grid cybersecurity study (E&E Daily, March 27).
King's bill, S. 79, the "Securing Energy Infrastructure Act," was largely welcomed by witnesses at the hearing. But experts warned against letting strong cyberdefenses come at the expense of other hard-won innovations.
"A broad-scale reversion to pre-digital technology is uneconomic, unjustified and perhaps even impossible," said Michael Bardee, director of the Office of Electric Reliability at the Federal Energy Regulatory Commission, in prepared testimony.
"But I do not see S. 79 as proposing such action," he added, noting that the legislation "could potentially aid the utility industry, FERC and others to maintain a secure electric grid" by setting up an interagency working group to examine the problem.
Bardee suggested King add FERC to the proposed list of members on the working group, which now includes the departments of Defense, Energy and Homeland Security; intelligence community; and the North American Electric Reliability Corp., the nonprofit grid overseer.
The bill was first introduced last summer in response to a series of eye-opening cyberattacks on Ukraine's power grid. In December 2015, hackers used stolen usernames and passwords to break into three Ukrainian utilities' operating networks and cut off power to about a quarter of a million people. The victim companies were able to restore electricity only after reverting to "manual mode" — dispatching employees to flip switches at remote facilities.
A year later, hackers struck again at another Ukrainian power company, temporarily severing electricity at a transmission-level substation (Energywire, Jan. 11).
"If we aren't prepared for cyberattacks, a Ukraine-like situation could take place in the U.S.," said Energy Subcommittee Chairman Cory Gardner (R-Colo.) at the outset of yesterday's hearing. He added that "hackers are certainly trying to create that kind of havoc in the U.S."
Thomas Zacharia, deputy director for science and technology at Oak Ridge National Laboratory, noted that his agency would be called on to support the working group if King's "retro" security bill is enacted.
He told senators that a "two-year pilot to really explore what is possible, to get out in front of this evolving challenge, is probably the best thing we can do."
Industry speakers at the hearing pointed to existing efforts to lock down the power grid from hackers.
John Di Stasio, president of the Large Public Power Council, which represents some of the biggest locally owned utilities in the country, said his group supports the "Securing Energy Infrastructure Act" on the condition that it doesn't get ahead of any existing cybersecurity requirements set by NERC.
"We've got a very robust cyber compliance and enforcement program," he said, noting that the industry has come "a long way" in improving cyberdefenses over the last 10 years. "I feel like we've got some of the essential building blocks in place."
Ben Fowke, CEO of Minneapolis-based utility Xcel Energy Inc., offered a tepid endorsement of King's bill, noting that Xcel "does not object" to the legislation based on its voluntary nature and liability protections for companies that contribute to the working group.
Fowke was more supportive of broader efforts to streamline the government's handling of cybersecurity, such as an effort by Gardner and Sen. Chris Coons (D-Del.) to create a Select Committee on Cybersecurity to cut down on some of the overlap in Congress.
"We just need to coordinate better," said Fowke. "There's a lot of work being done, but it's being done by a lot of agencies, it's being done by a lot of congressional committees. ... I think we're getting better at coordinating, but the bad actors are getting better at attacking us at the same time."
# # #