IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Congress Analyzes Security of Vulnerable U.S. Electric Grid

During a Congressional hearing about the cybersecurity posture of the nation’s electric systems, federal officials shared practices that they believe are essential to preserving electricity across the states.

Puesh Kumar
Puesh Kumar, acting principal deputy assistant secretary for the Office of Cybersecurity, Energy Security, and Emergency Response, speaks during the hearing.
The U.S. is making progress with cybersecurity weaknesses that leave the electric grid at risk of disruption from enemy nations, said federal energy officials during a Congressional hearing Tuesday.

The risk is a serious one, and international rival Russia has long suggested it’s willing to target electric systems, said Rep. Stephen Lynch, who convened the hearing. An attack attributed to Russia eliminated power for 225,000 Ukraine residents in 2015.

Six years later, the White House has emphasized protection for critical infrastructure.

Joe McClelland, director of the Office of Energy Infrastructure Security at the Federal Energy Regulatory Commission (FERC), which regulates the bulk power system, said the grid today is resilient enough to withstand one major unforeseen event — but not necessarily multiple.

“It can suffer the single largest contingency on the grid and continue operations,” McClelland said. “[But] if there are multiple contingencies, those can result in prolonged outages, and those outages depend on the extent of damage to the equipment and the availability of that.”

The electric system that underpins everything from home heating and food refrigeration to hospital technology and smartphone charging faces challenges due, in part, to dependence on international supply chains and limited state resources available for bolstering defenses, some speakers said. Congress also questioned whether the sector has sufficiently strong cybersecurity requirements.

Department of Energy (DOE) officials said initiatives are underway to review security standards, assist states and encourage more domestic power equipment production.

SUPPLIER RISK


The federal government wants to head off any threats before they develop into full-fledged incidents, and it’s treating SolarWinds as a key lesson about how risk can quickly spread from vendors to clients, according to Puesh Kumar, acting principal deputy assistant secretary for the DOE’s Office of Cybersecurity, Energy Security and Emergency Response (CESER).

Kumar said CESER has prioritized identifying the various manufacturers and suppliers that provide critical components to the electric sector. Should any of them become compromised, electric system operators could be jeopardized.

Electric-sector hardware and software often involves components produced around the globe, so the various elements of each product must be examined, Kumar said. Foreign state actors may try to tamper with pieces produced within their borders, Lynch warned.

CESER is encouraging engineers and researchers to think about cyber defenses during initial development and design work so that security is ingrained from the get-go, Kumar said. The office is also helping test certain suppliers’ offerings to catch any vulnerabilities before the products are adopted.

“We’ve had a lot of positive success with those manufacturers to ensure that we can actually test their equipment down to the chip level and firmware level,” Kumar said.

LARGE TRANSFORMERS


Experts are not banking on being able to prevent all attacks, so they want to ensure that backup equipment and operation methods will be ready to take over should essential systems or hardware be downed.

One particular concern is that hard-to-replace equipment could become compromised. Large power transformers are only manufactured abroad, and Lynch said that creating, transporting and deploying them can take a year or more, impeding quick emergency response.

Some initiatives aim to ward against interruptions by keeping spare copies of important hardware at the ready. Private companies like Grid Assurance warehouse large hardware and — in exchange for subscription fees — will transport the equipment to electric utilities impacted by natural events or cyber disruptions. CESER seeks to bolster such efforts by providing private companies with research about the most critical, hard-to-produce equipment so they can better prepare.

Getting the most out of these efforts will require coordination with states and the Department of Transportation to safely move gigantic equipment from storage to grid operators in need, Kumar said.

“These large power transformers are 200 to 300 tons,” Kumar said. “The logistics of moving a transformer at 20mph or less from one side of the country to another is a huge challenge.”

DISTRIBUTION AND BULK SYSTEMS


Regulation of the electric grid is split up among levels of government. FERC oversees the bulk electric power facilities that generate and transmit energy, while states have purview over distribution systems.

Lynch expressed concern that the number of entities involved in the overall electric system can complicate cybersecurity activities.

“This creates ample opportunity for bureaucratic stovepiping and can undermine incident response,” he said.

Another significant concern is that states tend to have fewer resources at their disposal, limiting their ability to adopt best practices and to monitor and respond to threats, Kumar said.

Energy officials said the federal government strives to collaborate with states by sharing threat information and delivering free cybersecurity evaluation tools.

Congress members didn’t seem satisfied with the security of the federal part of the system, with some questioning why bulk power system operators aren’t required to abide by all of the best practices outlined in the National Institute of Standards and Technology’s voluntary framework. McClelland said FERC is actively examining current regulations for the sector and that it had collected feedback on potential improvements in September.

CROSS-SECTOR SECURITY


Shoring up electric grid defenses may not go far enough. Cybersecurity and Infrastructure Security Agency (CISA) Executive Assistant Director for Cybersecurity Eric Goldstein said the nation needs a more holistic approach to incident reporting. The current sector-by-sector approach to policy-setting can result in inconsistencies and blind spots that inhibit federal agencies’ efforts to track threats and warn all potentially impacted parties, he said.

One issue is that various sectors may define cyber incidents differently and establish different reporting deadlines, making it difficult for CISA to get clear, comparable insights, Goldstein said.

“There is no blanket reporting requirement for businesses or critical infrastructure in this country,” he said. “For example, the enforcement authorities that FERC may be able to levy will be dramatically different than the TSA or the Federal Reserve Board.”

The sector-based approach can also leave out organizations that may not fall into particular outlined industries but that nonetheless could jeopardize the smooth running of the country if they fall to attack, Goldstein added. Without insights from those entities, CISA is less able to assist victims, warn other potential targets and understand new threats.
Jule Pattison-Gordon is a senior staff writer for Governing and former senior staff writer for Government Technology, where she'd specialized in cybersecurity. Jule also previously wrote for PYMNTS and The Bay State Banner and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.