Hill: Regulatory groups fail to protect power grid from cyberattacks

Federal regulatory commission says it needs more authority to force plants to tighten security for computer networks.

Amid sharp criticism from Congress that they have misled the public and failed to protect the nation's electrical power system against cyberattacks, officials with regulatory bodies overseeing the power grid said they do not have the authority to act quickly enough to institute safeguards.

Comment on this article in The Forum.Members of the House Subcommittee on Emerging Threats, Cybersecurity and Science and Technology took aim on Wednesday at the North American Electric Reliability Corporation, which, operating as the Electric Reliability Organization, develops standards for power plants. The standards are approved by the Federal Energy Regulatory Commission, which enforces the reliability benchmarks for most of the nation's power plants. The 2005 Energy Policy Act established the formal relationship between the two organizations.

The hearing was one of a series the subcommittee has held looking into how vulnerable the computers that support the nation's water, power and chemical plants are to cyberattacks. In March 2007, researchers from the Idaho National Laboratories created a video for the Homeland Security Department showing a simulated cyberattack on a power plant's control system. The cyberattack, which has become known as the Aurora Generator Test, caused a generator to self-destruct.

"I have real doubts about NERC's ability to regulate new standards," said Rep. Jim Langevin, D-R.I., chairman of the subcommittee. "It seems to not take this authority seriously. Follow ups with industry to see how they implemented [standards spurred by] Aurora were too limited in scope. It's hard to know why NERC would take such a laissez-faire approach to this issue."

In August 2006, NERC submitted to FERC for approval eight cybersecurity standards, known as the Critical Infrastructure Protection standards. The plan proposed power plants comply by the middle of 2009 with a set of requirements to tighten security and to another set of criteria by the end of 2010. FERC issued on Jan. 18, 2008, a final rule approving the standards, which require power plants to:

• Identify critical assets, and develop and implement security management

• Verify employees' identities, conduct criminal background checks and security training

• Identify and protect the perimeters and access points to computer networks

• Create and maintain a physical security plan to protect networks

• Define how the power plant will secure systems

• Identify, classify and report cybersecurity incidents

• Establish recovery plans using business continuity and disaster recovery techniques and practices

NERC also established a process to review and propose new standards that will incorporate recommendations from the National Institute of Standards and Technology that are appropriate to power system operating systems. This was a direct response to concerns expressed by Congress in a previous hearing on how industry regulations to protect the power plants' control systems did not meet federal recommendations.

Joseph Kelliher, chairman of FERC, said the cause of the failure to protect adequately power plants is the Energy Policy Act. "In my view, FERC currently does not have sufficient authority to adequately guard against cybersecurity threats to the reliability of the bulk power system," he said. "The principle flaw of the [Energy Policy Act] is it simply takes too long; it can take years to develop new and modified standards."

Congress passed the act initially to combat regional blackouts, Kelliher said, which at the time were caused most often by not clearing shrubs and trees from power lines. The law was not "designed with the cyberthreat in mind," Kelliher said. NERC can issue advisories quickly, but they're voluntary, and do not have the weight of the mandatory standards FERC can issue.

Subcommittee members agreed to consider the claims that more authority is needed but said they questioned the credibility of NERC, charging the organization deliberately misled the subcommittee. At a hearing held in October, NERC Executive Vice President David Whiteley referenced results of a survey it had conducted about the progress power plants had made in implementing processes to mitigate cyberthreats. But a copy of the survey that the subcommittee obtained was dated two days after the hearing took place, indicating NERC had not conducted the survey when Whiteley cited its results.

In addition, Whiteley testified that NERC received at a September meeting in St. Louis, Mo., information about power plants' efforts to tighten cybersecurity. But inquiries from the subcommittee revealed that participants in the meeting did not recall conversations about cybersecurity.

"[NERC] misled this committee in October," said Rep. Bill Pascrell, Jr., D-N.J. "We want to be partners; but you're not going to sit there and waste my time [by] telling me, 'We're doing the job we were directed to do,' while at the same time, having no real answers to … false claims. What do you think we are, a bunch of jerks? We should look into processes for holding the NERC in contempt of this committee. The American people deserve no less."

Richard Sergel, president and chief executive officer of NERC, said, "The responsibility for being clear is entirely ours. We have failed to do that. Going forward we will do better."

Also during the hearing, the Government Accountability Office reported that networks and devices at power plants operated by the Tennessee Valley Authority, which supplies power to residents living in an 80,000 square mile area in the southeastern United States, were vulnerable to cyberattacks that could disrupt power.

For example, TVA had not properly configured a remote access system on its corporate network, and individual workstations had not been secured against known viruses and vulnerabilities and did not have adequate security settings, according to the report. In addition, TVA's intrusion detection system could not properly monitor the network, and firewalls protecting control system networks were bypassed or inadequately configured. The report also stated that weaknesses in separations of control systems from the corporate network could allow an attacker to gain access and compromise equipment in a secure portion of the interconnected network.

TVA officials said they are addressing the security shortcomings noted by GAO and is centralizing its cybersecurity management into one office, said William McCollum Jr., TVA's chief operating officer. That effort, which is expected to be completed in February, will provide a uniform set of security procedures that covers all IT systems.