Lawmakers seek tighter cyber regulation on power grids

The proposal would grant the Federal Energy Regulatory Commission (FERC) authority to require companies that own and operate critical portions of the power grid to take emergency actions to mitigate a specific cyber threat against power generation equipment or the communications networks that support those systems. With the exception of publicly owned utilities, industry compliance with warnings or advisories issued by FERC currently is voluntary.

"Any failure of our electric grid, whether intentional or unintentional, would have a significant and potentially devastating impact on our nation," said House Homeland Security Committee Chairman Bennie Thompson (D-Miss.), who is expected to introduce the measure Thursday along with the Senate Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman (I-Conn.). "We must ensure that the proper protections, resources and regulatory authorities are in place to address any threat aimed at our power system."

The vulnerability of the nation's electrical grid to computer attack has grown as power companies have transferred control of their electrical generation and distribution equipment from private, internal networks to supervisory control and data acquisition, or SCADA, systems that can be accessed through the Internet or by phone lines, according to consultants and government reports. That technology has led to greater efficiency because it allows workers to operate equipment remotely.

The legislation comes amid media reports that Chinese and Russian hackers have infiltrated portions of the U.S. electrical grid, leaving behind tools that could be used to disrupt critical networks.

The Defense Science Board, a Pentagon advisory panel, reports that U.S. grid control systems are continuously probed electronically. While there have been no documented cases of cyber break-ins causing major damage or grid outages in the United States, cyber attacks have caused outages in other nations. FERC reports 20 documented cases where hackers have penetrated networks and were able to shut down power plants, and affect controls on dams and on a nuclear reactor.

The "Critical Electric Infrastructure Protection Act" would allow FERC to create stopgap regulations that address specific cyber threats to the nation's power generation and distribution networks, so long as the Department of Homeland Security declares there is a national security threat. It also would require FERC to establish interim standards to protect against known cyber threats to critical electric infrastructure, and calls on DHS to conduct an investigation to determine if the security of federally owned critical electric infrastructure has been compromised by hackers.

A majority of these networks are owned by some 1,800 private companies, which are collectively represented by an industry-led consortium called the North American Electric Reliability Corporation (NERC).

Regulators have complained the voluntary compliance already in place isn't sufficient to blunt cyber threats. In 2007, the Department of Homeland Security issued an advisory to NERC about a widespread vulnerability that could allow hackers to break into standard utility control systems and cause massive physical damage to electricity-generating equipment. These attacks, according to experts, could take months to repair. NERC later directed its member companies to make changes within 60 days to mitigate the threat from the vulnerability. But a follow-up audit by FERC showed that fewer than 30 percent of the utilities had complied.

Brian Ahern, president and chief executive of Industrial Defender, a company that provides security consulting and services to critical infrastructure operators, said most private power operators don't have the technology in place to detect stealthy cyber attacks, and have little incentive to share intelligence about cyber threats to their systems with other providers.

"If you're an investor-owned utility, do you want to raise your hand and put your investors at risk, or do you want to minimize the level of attention given to any cyber incident?" Ahern said.

The Lieberman-Thompson bill is the latest in a series of cyber-security related proposals expected to be introduced this year. Earlier this month, Senators Olympia Snowe (R-Maine) and Jay Rockefeller (D-W.Va) offered legislation that would give the federal government new powers to develop and enforce baseline cyber security standards for the private and public sectors.

In addition, the Obama administration is preparing to discuss details of a 60-day cyber security review, which is expected to chart a course for updating laws and government policies to deal with the cyber security threat facing industry and the federal government.