FERC needs to step up oversight of grid security, experts say

Responding to a report that the nation’s electric grid has been hacked by foreign spies, experts recommended today that federal agencies show greater initiative and seek legislative action to strengthen their cybersecurity authority and controls over the grid.

“The federal government needs to be doing a whole lot more than it is doing,” Joseph Weiss, a cybersecurity expert who recently testified to the Senate on grid vulnerabilities, told Federal Computer Week today.

The Federal Energy Regulatory Commission, Nuclear Regulatory Commission and Energy Department need to strengthen their oversight of the electric power grids, transmission systems and communications systems, said Weiss, a nuclear engineer who is managing partner at Applied Control Solutions LLC consulting firm.

As a start, Congress ought to expand the FERC’s authority beyond interstate-only infrastructure to include regulating cybersecurity on the state and local electric grids, Weiss said.

“We have to play catch-up,” agreed James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies. Hacking infiltrations likely have occurred for years, and will take time to weed out, he said.

While the FERC has begun to step up its oversight against cyber threats, the Obama administration’s nearly-completed cybersecurity review also will provide a strategic approach to strengthening the grid against cyber attacks, Lewis said.

Weiss and Lewis were responding today to a report in the Wall Street Journal asserting that cyber hackers, including apparently spies from China and Russia, have infiltrated the nation’s power grid and have left behind destructive software that could be activated at a later date. While the cyber attacks have caused no electricity disruptions to date, they may form a basis for further intrusions, according to that report.

The cyber intrusions have occurred over the last several years and have been detected by national security officials, the WSJ said.

Responsibility for overseeing cybersecurity of the nation’s power grids is shared by the FERC and by the industry-led North American Electric Reliability Corporation.

On April 7, the organization's security director, Michael Assante, notified its members that it appeared that not all of them are complying with new industry standards to identify critical power grid assets. The corporation will start enforcing those standards in July.

However, Weiss said he believes the federal government needs an expanded role in overseeing the industry. “We have hardly gotten started,” he said.

The self-regulatory efforts by industry have not gone far enough to protect the existing electric grids, transmission lines or the pending smart grid devices, Weiss said. “The electric industry isn’t even looking at the bulk of their systems,” he said.

The FERC also needs expanded authority to be involved in cybersecurity for state and local systems, which currently are under the jurisdiction of state and local utility commissions, Weiss said.

The report of cyberattacks on the grid does not present an emergency and likely reflects an ongoing series of system penetrations, Lewis said. While the hackers did not attempt to destroy the grid, that might be their eventual goal if we are at war, he said.

To safeguard against hacking, the FERC and industry have been working together more effectively in the last year, after a critical hearing in Congress, but still need to do more to ensure cybersecurity, Lewis said.

“One problem is that for years cybersecurity has been at the bottom of the regulatory priorities,” Lewis said.