recommended reading

Utilities open to cybersecurity dialogue


A group of electric companies says it is not opposed to working with the federal government to secure power-grid computer networks, as long as regulators don’t proscribe new burdensome and inflexible rules.

Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va., helped sponsor legislation that would have created more government oversight of certain critical networks, including those that control electric grids. After that bill floundered in the Senate partly because of industry opposition to new rules, he wrote a letter to top leaders of Fortune 500 companies asking them about their views on cybersecurity.

In a response to that letter sent on Thursday and obtained by National Journal, industry associations that represent electric companies, including 24 that received Rockefeller’s letter, say they are open to voluntarily collaborating with government officials.

“We want to be clear that we do not oppose such a regime, provided it does not seek to supplant the existing regulatory structures and public-private coordination already taking place in the electric and nuclear power sectors, even in the absence of new cybersecurity legislation,” the letter states.

Officials fear that a cyberattack aimed at the computer networks that control power grids and other critical infrastructure could cause economic devastation and even loss of life. The companies warn, however, that any regulatory regime cannot focus on meeting specific security standards that may soon be out of date.

“While standards enforce good business practices and encourage a baseline level of security, compliance checklists that focus only on performance requirements are not sufficient to address cyber threats,” the associations wrote. The companies say the electric sector has already been subject to mandatory cybersecurity standards since 2005. Any new cybersecurity program should focus on those sector-specific standards, they argue.

Rockefeller spokesman Vincent Morris said the senator will be reviewing all the letters and will consider all the arguments, but ongoing cyberattacks show that current standards aren't enough.

"We know what's in place won't cut it because the cyber terrorists have moved beyond where we were in 2005," Morris said in an e-mail to National Journal.

The White House is currently drafting an executive order that could enact some voluntary security standards for companies, but Homeland Security Secretary Janet Napolitano said on Friday that the president has yet to review the potential order.

The letter to Rockefeller was signed by representatives of the Edison Electric Institute, the National Rural Electric Cooperative Association, the Nuclear Energy Institute, the American Public Power Association, and the Electric Power Supply Association.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.


When you download a report, your information may be shared with the underwriters of that document.