'Cybersecurity' worries spur Congress to rethink electrical grid

WASHINGTON--The potential for "cybersecurity" attacks on the United States' electric power grids has spurred politicians to consider legislation to broaden federal authority over electric companies.

Congress already has been consulting with federal agencies and industry associations over how to craft such legislation. On Thursday, legislators sought further input at a hearing before the House Energy and Commerce's subcommittee on energy and air quality.

Industry representatives endorsed the idea of strengthening federal authority in the event of an imminent cybersecurity threat but cautioned against expanding the government's powers too broadly.

"We understand the seriousness of the issue and the need to deal with it," said Susan Kelly, a vice president for the American Public Power Association. "At the same time, we believe that such legislation must be carefully drawn."

The draft legislation under consideration would expand the authority of the Federal Energy Regulatory Commission, which already regulates the nation's bulk power system as allowed by the Federal Power Act. A final draft of the bill will likely be considered by the committee next week, following a classified briefing with intelligence agencies, said Rep. Rick Boucher, chairman of the subcommittee.

The proposed law could require any owner, user, or operator of the bulk power system to abide by interim measures established by the FERC to address current security threats until FERC could address the threats under its normal protocol. It would also grant the FERC the ability to issue orders to owners of the bulk power system at the directive of the White House, either through the president or the secretary of energy.

At issue is whether the law should expand FERC's powers in the case of only a cybersecurity threat, or in the case of other threats to national security as well.

FERC chairman Joseph Kelliher said his commission's authority should apply to a broader definition of national security threats because physical attacks can cause equal or greater damage than a so-called cyber attack.

"There is no adequate means to take timely action under existing laws," he said.

However, industry associations "believe that other government entities, both state and federal, have more direct responsibilities in the general area of national security," Kelly said in her prepared statement. "Moreover, this additional authority is quite vague in its wording and hence potentially all-encompassing in nature, which in and of itself raises substantial concerns."

Steven Naumann, a vice president for Exelon, said the legislation should consider how the use of classified information to justify regulations on the energy sector could impact private companies. He said the bill should "provide for ongoing consultation and sharing of information to the extent possible."

Kelly seconded the idea that establishing guidelines for power systems should be a collaborative effort between the public and private sectors.

"We in the industry think we can bring some expertise on the best ways to set these standards," she said.

No one at the hearing disputed the enormity of a potential cybersecurity attack on the country's electric grid.

"I believe America is disturbingly vulnerable to a cyber attack against the electric grid that could cause significant consequences to our nation's critical infrastructure," said Representative James Langevin (D-R.I.), a member of the Homeland Security Committee who testified before his fellow congressmen. "Virtually every expert that I've discussed these matters with shares this assessment."

"The risk to these systems is steadily increasing," he said.

After a particular vulnerability, dubbed "Aurora," was discovered in 2007 at the Idaho National Laboratory, the subcommittee Langevin chairs, along with federal agencies, reviewed the ability of government efforts to protect power sources from the threat. In spite of the requirements and advisories sent to the electric sector to mitigate the vulnerability, it was unclear electric companies had fully protected themselves from the threat, the witnesses at the hearing said. Interviews with 30 companies suggested only two had completely mitigated the Aurora threat.

"Initial observations suggest that while no company interviewed ignored the advisory, there was a broad range of compliance based on individual interpretations of the threat," Langevin said in his prepared statement.

Kevin Kolevar, the assistant secretary of the Energy Department's office of electricity delivery and energy reliability, said, "Aurora exemplifies... that type of situation that speaks to the need for an interim reliability" for that threat.