By Michael Brooks
WASHINGTON — Compared to the rancor often on display when the Senate Energy and Natural Resources Committee discusses topics like climate change or grid resilience, Thursday’s hearing on preventing cyberattacks on the bulk power system (BPS) was less partisan, with senators soberly asking informational questions.
That was, until it was Sen. Angus King’s (I-Maine) turn to speak.
“There’s a weird calmness about this hearing,” King said at the session, which featured FERC Chairman Neil Chatterjee, NERC CEO Jim Robb and Karen Evans, assistant secretary of the Department of Energy’s new Office of Cybersecurity, Energy Security and Emergency Response (CESER). “This is not a threat. This is happening now. We are under attack! This isn’t something that may happen next year or two years from now. And I’m not revealing anything classified in the sense of quoting news articles and presentations by the Department of Homeland Security. We are in a very dangerous place, and I just think this has to be … an emergency, an urgent situation.”
King has previously called for the federal government to develop an “offensive response” to attacks on the grid and other critical infrastructure, a proposal he repeated Thursday. (See “Sen. King Calls for ‘Offensive’ on Cyberthreats,” Overheard at NECPUC 71st Annual Symposium.)
In late 2015, the Associated Press reported that “so many attackers have stowed away in the largely investor-owned systems that run the U.S. electric grid that experts say they likely have the capability to strike at will.”
The report did not cause much of a stir in the energy industry at the time. But concern has steadily grown, especially since the revelations of Russian hackers’ attacks on Ukraine’s electric grid and their interference in the 2016 U.S. presidential election.
The U.S. Intelligence Community’s 2019 Worldwide Threat Assessment, released late last month, reported that “Russia has the ability to execute cyberattacks in the United States that generate localized, temporary disruptive effects on critical infrastructure — such as disrupting an electrical distribution network for at least a few hours — similar to those demonstrated in Ukraine in 2015 and 2016. Moscow is mapping our critical infrastructure with the long-term goal of being able to cause substantial damage.”
The report also said that “China has the ability to launch cyberattacks that cause localized, temporary disruptive effects on critical infrastructure — such as disruption of a natural gas pipeline for days to weeks — in the United States.”
King asked Robb to confirm that “Russians are already in the grid.” Robb declined to answer.
“Well can you comment on a public story about something released by the Department of Homeland Security?” King asked.
“Uh, no,” Robb replied.
After a brief pause, King said, “OK, let me ask another question. Do any of our utilities have Kaspersky [Lab], Huawei [Technologies] or ZTE equipment in their systems?” Kaspersky is a Russian company, while the latter two are Chinese.
“We issued a NERC alert —”
“I didn’t ask you if you issued an alert,” King interrupted, repeating the question.
“Not to my knowledge,” Robb said. In response to another question from King, Robb also said NERC had not surveyed utilities.
“I think that’d be a good idea, don’t you?” King said.
“I’ll take that on,” Robb replied.
“I don’t mean to come off as negative,” King said later. “I just think this has to be addressed with a real sense of crisis.”
Sen. Martha McSally (R-Ariz.) agreed.
“If I close my eyes, this sounds like a hearing from 19 years ago in many ways,” she said. “And I don’t want to take away from some of the things that have been done, but what has changed in 19 years — more rapidly than us figuring out how to defend, protect, share information and do whatever it takes — is the threat is real and it’s happening.”
“I worry we’re not moving fast enough,” Sen. Martin Heinrich (D-N.M.) said, “especially in a world where it’s often viewed that if it works, just leave it alone.”
Mandatory Pipeline Standards?
Both Chatterjee and Robb told the ENR Committee that NERC’s mandatory reliability standards for electric utility companies are among the many ways the organization guards against cyberattacks. “Mandatory standards, coupled with effective mechanisms to share information, provide robust and flexible tools to protect the BPS,” Robb said.
Chatterjee noted that he and Commissioner Richard Glick wrote an article in June last year expressing their concern about the Transportation Security Administration’s oversight of natural gas pipeline security, concerns vindicated by a Government Accountability Office report in December that found TSA is hampered by staffing constraints and vague criteria for identifying critical facilities. (See GAO Critical of TSA Pipeline Security Efforts.)
“Since the publication of that op-ed, I’ve been pleased to hear from many members of the natural gas pipeline community, who have expressed their appreciation for these concerns and willingness to continue taking steps to improve their security posture,” Chatterjee said in remarks echoing those he had made the day before at the National Association of Regulatory Utility Commissioners’ Winter Policy Summit.
Chatterjee told both the NARUC audience and the Senate committee that he had met with TSA Administrator David Pekoske “and was impressed by his focus on this vital issue, as well as his pledge to taking further action to improve TSA’s oversight of pipeline security.”
Speaking to reporters at the NARUC meeting Wednesday, Chatterjee said he met with Pekoske and TSA staff near the end of last month. “It was clear that they were taking seriously the concerns that Commissioner Glick and I had raised [and] also were taking very seriously the GAO report that pointed out things that could be improved about the process. And so, I feel very good about the actions that industry has taken and that TSA and DHS have taken to address some of the concerns that we raised.”
But he declined, both with reporters and under questioning by King and Heinrich, to say whether he thought the responsibility should remain with TSA or shift to a different agency. In the June op-ed, he and Glick wrote, “Given the high stakes, Congress should vest responsibility for pipeline security with an agency that fully comprehends the energy sector and has sufficient resources to address this growing threat.” They suggested DOE, noting the recent creation of CESER.
He also declined to say whether there should be mandatory reliability standards for pipelines, saying that standards were “one way” but “not necessarily the only way” to protect them.
“Of course there should be mandatory standards for gas pipelines!” King said. “They’re part of the electric system. … It seems to me we’ve already passed this effective system for the electric utilities, and Mr. Chairman, I’m with you 100%, but I just don’t want you to hedge about it. I think you should come right out and say, ‘We got to do this.’”
Chatterjee noted that TSA has the authority to issue mandatory standards. “It would take Congress” to change the agency responsible.
“I think we should all be thinking about this question,” Heinrich said to his colleagues. “Where is the right place to do this?”