Secretary of Defense: Cyber actors are targeting electricity control systems

A heightened warning from the U.S. Department of Defense that the nation is highly vulnerable to cyber-attack recently underscored the potential for an executive order on cybersecurity from the Obama Administration and brought a promise from the U.S. Senate to revisit cyber-legislation in November.

Industry members, in lieu of comprehensive legislation, are moving forward with measures to mitigate cyber-threats and working with the administration to share information on this complex issue.

The cyber-threat

Secretary of Defense Leon Panetta, in a speech he gave in New York on Oct. 11, warned the country that cyber actors are probing America’s critical infrastructure networks.

“They are targeting the computer control systems that operate chemical, electricity and water plants and those that guide transportation throughout this country,” he said. “We know of specific instances where intruders have successfully gained access to these control systems. An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches and … shut down the power grid across large parts of the country.”

Panetta explained that the most destructive scenarios would combine attacks on critical infrastructure with a physical attack on the country.

“The collective result of these kinds of attacks could be a ‘cyber Pearl Harbor:’ an attack that would cause physical destruction and the loss of life,” he said.

Panetta supported passage of cybersecurity legislation, such as the Cybersecurity Act of 2012 co-sponsored by Senators Joe Lieberman, Susan Collins, Jay Rockefeller, and Dianne Feinstein, over a possible executive order from President Obama.

“This legislation has bipartisan support, but is victim to legislative and political gridlock like so much else in Washington,” Panetta said. “While we wait for Congress to act, the administration is looking to enhance cybersecurity measures under existing authorities. They are considering issuing an executive order as one option to try to deal with the situation, but very frankly there is no substitute for comprehensive legislation, and we need to move as far as we can in the meantime.”

House and Senate Republicans asked President Obama in a letter on Oct. 11 to rethink exercising authority over the nation’s approach to cybersecurity in order to avoid unwanted potential rollover of regulation to the Internet.

“While we have not seen your proposed executive order, multiple reports suggest that it would authorize the Department of Homeland Security to determine what constitutes ‘critical infrastructure,’ and then adopt certain standards for how such infrastructure is managed to guard against cyber-threats,” they said in the letter. “We cannot afford a hasty, unilateral action that will only serve to bolster the efforts of less democratic nations to stifle the very free exchange of ideas and expression that has allowed the Internet to flourish across the globe.”

Senate Majority Leader Harry Reid, in a statement responding to Panetta’s speech in New York, said that Senate Republicans have blocked passage of a cybersecurity bill, but they will have another chance to help deliver comprehensive legislation to the president.

“Some of my colleagues have suggested that the president should delay further action to protect America from this threat until Congress can pass legislation,” he said. “Secretary Panetta has made clear that inaction is not an option. I will bring cybersecurity legislation back to the Senate floor when Congress returns in November.”

Reid’s support was instrumental to the introduction of the Cybersecurity Act of 2012 by Senators Lieberman, Collins, Rockefeller, and Feinstein in February.

The legislation involves the security of systems that control essential services to the nation, such as power, water and transportation, making it materially different from other proposed cyber-legislation, such as the Stop Online Piracy Act or the Protect Intellectual Property Act.

Cybersecurity sharing

Republican members of the House Energy and Commerce Committee on Oct. 11 requested information from FERC Chairman Jon Wellinghoff about the jurisdiction of FERC’s new Office of Energy Infrastructure Security (OEIS).

“The Committee on Energy and Commerce, in its oversight role, continues to assess the critical infrastructure planning and protection efforts of the appropriate federal agencies, oversee the protection, mitigation and resiliency efforts of private asset owners, and evaluate opportunities to better secure critical infrastructure, such as through improved information sharing,” they said in a statement.

A representative of OEIS was not available to comment on the committee’s request.

Following on its authority to ensure reliability by protecting the grid from immediate threats to cyber-systems, FERC issued a notice of proposed rulemaking (NOPR) on Oct. 18 proposing to require new standards that address the effects of a geomagnetic disturbance (GMD) on the bulk power system.

In testimony before the Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies on Sept. 12, Joseph McClelland, director of the OEIS, said FERC’s open process for establishing reliability standards, while effective, may be too slow to respond to any extraordinary threats to the system.

“The existing reliability standards do not address electromagnetic pulse vulnerabilities,” McClelland said. “Protecting the electric generation, transmission and distribution systems from severe damage due to an electromagnetic-related event would involve vulnerability assessments at every level of electric infrastructure.”

The NOPR on GMDs would direct NERC to develop and file standards requiring transmission owners and operators to establish operational procedures that mitigate GMD effects. Additional NERC standards would require grid owners and operators to conduct initial and continuing assessments of the potential impacts of GMDs.

“The proposed rulemaking on GMDs provides a framework to address the current vulnerability, and to factor in the scientific and engineering analysis necessary to understand this complex issue,” Gerry Cauley, president and CEO of NERC, said in a statement on Oct. 18.

Cauley was in San Diego on Oct. 17 representing NERC’s Grid Security Conference (GridSecCon), where he said in his welcome address that, in the evolution of cybersecurity, the game is continuously changing.

“We as an industry must continue to grow as well,” he said. “Conferences like this one ensure we are growing and sharing much needed information with one another. We only win if we create deterrents and push back, and remain nimble and responsive.”

More than 280 participants attended GridSecCon 2012.