House subcommittee questions cybersecurity at power networks
While new computer technology has made power grids more effective, systems designed to secure those networks from cyberattacks continue to lag, Government Accountability Office officials told a House subcommittee on Tuesday.
While new computer technology has made power grids more effective, systems designed to secure those networks from cyberattacks continue to lag, Government Accountability Office officials told a House subcommittee on Tuesday.
"Cybersecurity and industry experts have expressed concern that, if not implemented securely, smart-grid systems will be vulnerable to attacks that could result in widespread loss of electrical services essential to maintaining our national economy and security," the GAO's Gregory Wilshusen and David Trimble said in joint testimony at a hearing of the House Energy and Commerce Oversight and Investigations Subcommittee.
Officials have had difficulty securing power grids because they are usually operated by private companies, and government efforts are often dogged by concerns over privacy and intrusion. Another complication -- there is disagreement over the extent of the threat. In 2008 intelligence officials reported that cyberattacks had disrupted electric power in several different areas overseas, but it is unclear if such targeted cyberattacks have occurred in the United States.
The subcommittee examined the issue as Congress debates legislation that could give the Homeland Security Department more authority to protect critical infrastructure like power grids from cyberattacks. The National Security Agency, which has warned of cyberattacks on power systems, has been pushing to be allowed to monitor some private networks in the United States to help prevent cyberattacks.
While new legislation could help encourage a minimum level of cybersecurity, laws will not be enough, Richard Campbell, a Congressional Research Service analyst, told the panel.
"Due to the constantly changing nature of cyberthreats, it is unlikely that effective cybersecurity of the grid will be achieved by regulation alone," he said. "Some assert that electric utilities must be focused on cybersecurity as keenly as they are on their current obligation to serve or to provide shareholder value."
Technical advancements in power networks need to be aimed at security as much as providing better service, said subcommittee Chairman Rep. Cliff Stearns, R-Fla.
"The goal of the smart grid is to improve efficiency, reliability, and interoperability," he said. "As equal goal however, must be to improve upon the security controls and to minimize the impact from a manmade or natural disaster to ensure reliability and avoid such possibilities."
Besides a lack of security features in some electric systems, the last year the GAO found that there was no coordinated monitoring to see whether private companies are following voluntary standards; limited information sharing between industry and the government; and few standards for evaluating the level of cybersecurity.