Lawmakers: Electric utilities ignore cyber warnings

IDG News Service - The U.S. electrical grid remains vulnerable to cyber and electromagnetic pulse attacks despite years of warnings, several U.S. lawmakers said today.

The electric industry has pushed against federal cybersecurity standards and some utilities appear to be avoiding industry self-regulatory efforts by declining to designate their facilities or equipment as critical assets that need special protection, said U.S. Rep. Yvette Clarke, a New York Democrat and chairwoman of the House Homeland Security Committee's Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology.

"This effort seems to epitomize the head-in-the-sand mentality that seems to permeate broad sections of the electric industry," Clarke said.

The U.S. electric grid is an "obvious target" for enemies of the nation, and a major outage would affect all aspects of everyday life, Clarke said during a hearing. "We simply cannot afford to lose broad sections of our grid for days, weeks or months," she said.

Despite years of warnings from lawmakers, electric utilities' efforts to secure themselves against cyber or electromagnetic pulse, or EMP, attacks seem to be lagging, Clarke added. During a three-year subcommittee review of electrical grid security, committee members and staff talked to hundreds of experts and read thousands of pages of studies, she said.

"They all reached one conclusion: The electric industry has failed to appropriately protect against the threats we face in the 21st century," Clarke said.

While the hearing mostly focused on cybersecurity, lawmakers also talked about the threat of an EMP attack on the U.S. An EMP is a burst of electromagnetic radiation, usually from a nuclear explosion. While such an attack may be unlikely, an EMP attack could shut down the electricity grid over a wide area and bring the U.S. to a standstill, some lawmakers said.

Representatives of the electric industry said they've worked hard to improve cybersecurity, and they share the lawmaker concerns about EMP attacks. The electric industry needs better information about how to protect against EMP attacks, said Steven Naumann, vice president of wholesale market development at Exelon, an electric utility.

Part of the problem with cyberattacks is that the U.S. government doesn't share enough up-to-date information, Naumann added. "In general, the North American grid is well-protected against cyberattacks -- at least those attacks that we know about," he said. "It's hard to protect against something you don't know."

Many electric utilities have taken significant steps in recent years to improve their cybersecurity, added Mark Fabro, president and chief security scientist at Lofty Perch, a control systems security vendor. The electricity grid will continue to converge with the Internet and that will introduce vulnerabilities, he added, but many utilities are working hard to improve security.

"We continue to witness excellent examples of effective cybersecurity activities from many entities, and observe progress that does not align with the popular opinion that the bulk power system is rife for total system compromise," Fabro said.

But several lawmakers said they're concerned that the electrical grid will become more vulnerable as its controls move onto Internet Protocol networks. "There is a massive computer espionage campaign being launched against the United States by our adversaries," said Rep. Bennie Thompson (D-Miss.), chairman of the full Homeland Security Committee. "Intelligence suggests that countries seek or have developed weapons capable of destroying our grid."