Senators spar with power industry: Is it safe from cyberattack?

A Senate hearing on protecting the power grid and other crucial infrastructure from cyberattack pivots on the question: Should federal cybersecurity standards be voluntary?

A hearing on Capitol Hill Tuesday highlighted the split among lawmakers that has cast into doubt the prospects for cybersecurity legislation that experts say is urgently needed to protect America's vital infrastructure.  

At the Senate hearing, industry and government officials recounted steps taken so far to protect the power grid from cyberattacks, such as establishing the definition of what constitutes a "critical cyber asset" and the revision of preliminary cybersecurity standards currently in place.

But critics said the moves are insufficient and implored senators to take more forceful steps to secure the nation's infrastructure against the rising threat of cyberattack. 

The electric grid’s "reliance on IT systems and networks exposes it to potential and known cybersecurity vulnerabilities, which could be exploited by attackers," Gregory Wilshusen, director of information security issues for the Government Accountability Office (GAO) said in his prepared remarks. Yet because most steps have been purely voluntary, he added, there is "a lack of a coordinated approach to monitor whether industry follows voluntary standards."

The difference of opinion over whether federal cybersecurity standards should be voluntary or mandatory for private companies is at the heart of two different bills pending in the Senate.

One, sponsored by Sen. John McCain (R) of Arizona, focuses on information sharing and voluntary measures. The other, sponsored by Sen. Joe Lieberman (I) of Connecticut and Susan Collins (R) of Maine and backed by the White House, includes federal mandates that utilities must obey and gives government new authority to protect the power grid.

Senate majority leader Harry Reid (D) of Nevada has said he would like to bring a cybersecurity bill to a vote before the August recess. A House bill passed this spring focuses on information sharing but includes no requirements for protecting critical cyberassets.

Some experts took a dim view of the congressional proceedings Tuesday. 

"The big industry strategy is to block Lieberman-Collins because they fear regulation," says James Lewis, a cybersecurity expert at the Center for Strategic and International Studies in Washington. "Today's hearings are mainly political theater so the industry guys can come in and say everything is fine – go back to sleep."

Behind closed doors, national security hawks appear to be ramping up pressure on Congress to push through tough cyber legislation.

In May, amid a period of heightened US tension with Iran, Chairman of the Joint Chiefs of Staff Martin Dempsey opted not to attend a White House meeting on Iran, instead attending a closed meeting with 20 senators to lobby for a strong cybersecurity bill.

In June, national security experts including former Homeland Security Secretary Michael Chertoff and former head of the National Security Agency Gen. Michael Hayden signed a letter urging the Senate to pass a cybersecurity bill protecting critical infrastructure – including authority for the government to act.

"We carry the burden of knowing that 9/11 might have been averted with the intelligence that existed at the time," the letter opines. "We do not want to be in the same position again when 'cyber 9/11' hits – it is not a question of 'whether' this will happen; it is a question of 'when.' Therefore we urge you to bring cyber security legislation to the floor as soon as possible."

Cyberincidents affecting the industrial-control systems of electricity-sector companies increased from three in 2009 to 25 in 2011, Mr. Wilshusen of the GAO reported at the Tuesday hearing.

Alerts have been issued on various vulnerabilities by the North American North American Electric Reliability Corporation (NERC) – an industry reliability group overseen by the Federal Energy Regulatory Commission. In addition, risk-management guidelines are being developed "to help utilities better understand their cybersecurity risks," Gerald Cauley, president of NERC, told the senators. 

But some senators called for more.

"We are here in this committee today, seven years after we passed the law, and we are still waiting for this process to produce the full set of adequately protective standards that we need," said Sen. Jeff Bingaman (D) of New Mexico, chairman of the Energy and Commerce Committee. "We still do not have an effective system in place to require action in the face of an imminent cyber attack."

For example, Senator Bingaman asked Mr. Cauley how the industry had responded to the "Aurora" vulnerability. That danger to the grid was exposed in 2007 when a government laboratory showed a generator destroyed using cyber commands.

"Are you able to track how many utilities still have not complied with the recommendations in that [Aurora] advisory?"

Cauley said NERC was tracking how many utilities had responded to the advice, but didn't offer any numbers. Joe Weiss, a veteran industrial-control system expert, tells the Monitor that just one utility in the nation – whose name he would not disclose – has put in place physical security barriers to mitigate the threat from Aurora. Others might have responded to NERC's recommendations in other ways, however.