The potential for 'cybersecurity' attacks on the US's electric power grids has spurred politicians to consider legislation to broaden federal authority over electric companies.
US Congress has already been consulting with federal agencies and industry associations over how to craft such legislation. On Thursday, legislators sought further input at a hearing before the House of Representatives's Energy and Commerce Committee's subcommittee on energy and air quality.
Industry representatives endorsed the idea of strengthening federal authority in the event of an imminent cybersecurity threat but cautioned against expanding the government's powers too broadly.
"We understand the seriousness of the issue and the need to deal with it," said Susan Kelly, vice president for the American Public Power Association. "At the same time, we believe that such legislation must be carefully drawn."
The draft legislation under consideration would expand the authority of the Federal Energy Regulatory Commission (Ferc), which already regulates the nation's bulk power system, as allowed by the Federal Power Act. A final draft of the bill will probably be considered by the committee next week, following a classified briefing with intelligence agencies, said Rick Boucher, chairman of the subcommittee.
The proposed law could require any owner, user or operator of the bulk power system to abide by interim measures established by Ferc to address current security threats until Ferc could address the threats under its normal protocol. It would also grant Ferc the ability to issue orders to owners of the bulk power system at the directive of the White House, either through the president or the secretary of energy.
At issue is whether the law should expand Ferc's powers in the case of only a cybersecurity threat or in the case of other threats to national security as well.
Ferc chairman Joseph Kelliher said his commission's authority should apply to a broader definition of national security threats, because physical attacks can cause equal or greater damage than cyberattacks.
"There is no adequate means to take timely action under existing laws," he said.
However, industry associations "believe that other government entities, both state and federal, have more direct responsibilities in the general area of national security", Kelly said in her prepared statement. "Moreover, this additional authority is quite vague in its wording and hence potentially all-encompassing in nature, which, in and of itself, raises substantial concerns."
Steven Naumann, a vice president for energy-services provider Exelon, said the legislation should consider how the use of classified information to justify regulations on the energy sector could impact private companies. He said the bill should "provide for ongoing consultation and sharing of information".
Kelly seconded the idea that establishing guidelines for power systems should be a collaborative effort between the public and private sectors.
"We in the industry think we can bring some expertise on the best ways to set these standards," she said.
No-one at the hearing disputed the seriousness of the effects of a potential cybersecurity attack on the country's electric grid.
"I believe America is disturbingly vulnerable to a cyberattack against the electric grid that could cause significant consequences to our nation's critical infrastructure," said James Langevin, a member of the Committee on Homeland Security who testified before his fellow congressmen. "Virtually every expert that I've discussed these matters with shares this assessment."
"The risk to these systems is steadily increasing," he said.
After a particular vulnerability, dubbed 'Aurora', was discovered in 2007 at the Idaho National Laboratory, the subcommittee chaired by Langevin, along with federal agencies, reviewed the ability of government efforts to protect power sources from the threat.
In spite of the requirements and advisories sent to the electric sector to mitigate the vulnerability, it was unclear whether electric companies had fully protected themselves from the threat, the witnesses at the hearing said. Interviews with 30 companies suggested only two had completely mitigated the Aurora threat.
"Initial observations suggest that, while no company interviewed ignored the advisory, there was a broad range of compliance based on individual interpretations of the threat," Langevin said in his prepared statement.
