Government should share responsibility for protecting U.S. grid, says America’s power sector reps
The leaders of three powerful U.S. trade associations in the electric industry responded to an inquiry from U.S. Sen. Edward Markey (D-MA) that detailed how they are working to maximize security amid a growing threat of cyberattacks in order to protect the nation’s electric grid.
Markey, ranking member of the U.S. Senate Foreign Relations Subcommittee on East Asia, The Pacific, and International Cybersecurity Policy wrote several versions of an Aug. 13 letter sent to electric utilities and federal agencies requesting details about what steps they took in response to the 2017 cyber-attack by Russia on U.S. electrical utilities.
“The electric sector takes seriously our role in protecting national security,” wrote Susan Kelly, CEO and president at the American Public Power Association (APPA); Thomas Kuhn, president of the Edison Electric Institute (EEI); and Jim Matheson, chief executive of the National Rural Electric Cooperative Association (NRECA), in a Sept. 4 five-page letter sent to Markey.
APPA represents not-for-profit, community-owned utilities that provide power to 2,000 towns and cities nationwide. EEI represents all U.S. investor-owned electric companies, which provide electricity to roughly 220 million Americans. NRECA is a national trade association representing more than 900 local electric cooperatives, which yearly invest $12 billion in their rural communities around the country.
“Our members now are recognized national security targets; they face nation-state attackers with resources beyond any individual entity’s ability to repel,” the executives wrote. “As such,” they said, “we respectfully ask Congress to consider how the electric sector and the federal government can more effectively share the responsibility of protecting the nation’s energy grid.”
The power sector executives’ letter to Sen. Markey was in response to the letters the senator sent last month to electric utilities PG&E, Florida Power and Light, Duke Energy Carolinas LLC, Consolidated Edison CO-NY, Exelon Corp., Entergy Corp., Xcel Energy, Southern Co., National Grid, and Southern California Edison. The lawmaker also sent his Aug. 13 letter to federal power marketing organizations the Tennessee Valley Authority, Salt River Project, Bonneville Power Administration, and the Western Area Power Administration; and he sent a version to the U.S. Department of Homeland Security (DHS), Department of Energy (DOE), and the Federal Energy Regulatory Commission (FERC). The North American Reliability Corporation (NERC) also received Markey’s letter.
“Unless we act now, America will continue to remain vulnerable to cyberattacks not just on our elections, but on our electrical grid,” Sen. Markey tweeted on Aug. 13 when he also posted a version of his letter online. “I’m demanding answers about Russian cyberattacks and potential cyber-vulnerabilities from the utilities and agencies that oversee the grid.”
Markey’s 30-page letter to the utilities requested responses to seven questions; his 18-page version also asked seven questions of the federal power marketing organizations; a nine-page letter went to federal agencies requesting a staff briefing by Sept. 7 to discuss at least five topics; and a three-pager got sent to James Robb, NERC’s president and executive director, also seeking a staff briefing by Sept. 7.
“We need answers and assurances from stakeholders who operate and oversee the grid that they are doing everything possible to secure our nation’s electrical system against devastating damage from physical or cyber-terrorist attacks,” the senator wrote.
The association leaders offered their answers.
“The reality is that the energy grid is a target for cyber and physical attacks,” they wrote. “Protecting and maintaining the security and reliability of the grid is a top priority for our associations and our members.”
The senator’s letter referenced a Wall Street Journal story published in July that reported Russian government-backed hackers had successfully penetrated the U.S. electric grid in 2016 and 2017 via hundreds of power companies and third-party vendors. “Russian hackers gained access to control rooms, putting them in a position to disrupt U.S. power flow,” he wrote.
The senator also warned in his letters that continued cyber-attacks shouldn’t be a surprise since DHS had issued a 2013 warning alert about them and DOE reported in 2016 that ‘the cybersecurity landscape is characterized by rapidly evolving threats and vulnerability, juxtaposed against slower-moving deployment of defense measures.’
Yes, cyberthreats to the U.S. energy grid from nation states like Russia, among many other adversaries, are “real and growing,” wrote Kelly, Kuhn and Matheson, adding that their industry “is keenly aware of these threats thanks to close coordination and information sharing with government partners” and to a shared responsibility across the sector to protect critical infrastructure.
“Threats to the energy grid and to other critical infrastructure sectors will not go away, and we will continue enhancing our grid security work to evolve with the threat,” they wrote.
The association executives also pointed out in reference to Markey’s 2013 industry survey on protecting and maintaining the security and reliability of the grid, that for him “to say that much has changed in the intervening five-plus years is an understatement.”
Kelly, Kuhn, and Matheson also went a step further, telling Markey they shared their association members’ concerns about the potential cybersecurity implications of answering his specific questions about the energy grid and the efforts made to protect it.
“Many of your questions seek sensitive information and, in some cases, information that is deemed Critical Energy Infrastructure Information (CEII) as defined by FERC,” according to their letter. “We encourage you to engage with us and our members in an appropriately protected forum to address the sensitive security details in your questions more thoroughly.”
The association leaders noted that the companies they represent take a “defense in depth” approach, which includes compliance with the mandatory NERC Critical Infrastructure Protection (CIP) standards. In addition, the power sector companies have forged partnerships within the industry and with all levels of the federal government, and prepared response and recovery strategies for man-made and naturally occurring incidents, according to their letter.
“We value Congress as a constructive partner in this endeavor,” the power association leaders wrote. “There is more that Congress can do.”
For instance, Kelly, Kuhn, and Matheson suggested that federal lawmakers modernize the Support Anti-Terrorism by Fostering Effective Technologies (SAFETY) Act of 2002, the public law providing incentives for the development and deployment of anti-terrorism technologies by creating systems of risk and litigation management, according to DHS.
“The purpose of the Act is to ensure that the threat of liability does not deter potential manufacturers or sellers of effective anti-terrorism technologies from developing and commercializing technologies that could save lives,” the department says on its website.
Congress should update the SAFETY Act to meet the new threat of cyber-attacks; allow electric companies access to federal databases to counter insider threats; and increase security clearances to key electric company staff, while at the same time quickly declassifying certain information about grid security, the association leaders wrote.
“The electric sector already enjoys a strong partnership with the Department of Defense and the intelligence community, but we believe all instruments of national power must be used to deter and respond to adversaries, including nation-state attacks on critical infrastructure,” their letter concluded.