Senators at odds over how to protect the grid

Environment & Energy Daily; 7/18/12

A partisan split has developed on the Senate Energy and Natural Resources Committee over how to best protect the country's sprawling electric grid from a growing number of cyberattacks, with the panel's Democratic chairman pushing for more federal oversight and the ranking Republican calling for a more hands-off approach.

But both sides agree that the system is vulnerable and that Congress needs to tackle the problem before the August recess arrives.

Energy and Natural Resources Chairman Jeff Bingaman (D-N.M.) complained during a committee hearing yesterday that the process for crafting rules to protect the grid is "cumbersome and overly complicated" and that adequate standards have not materialized seven years after Congress granted the Federal Energy Regulatory Commission authority to address the issue.

Currently, the North American Electric Reliability Corp. (NERC) crafts standards for protecting the system that FERC can then approve. The electric and nuclear industries are the only sectors that currently have cybersecurity rules in place, Bingaman said.

On that note, Bingaman is backing Sen. Joe Lieberman's (I-Conn.) "Cybersecurity Act" (S. 2130), which calls on the Department of Homeland Security -- in consultation with appropriate federal agencies and grid owners and operators -- to asses cybersecurity risks for the country's most critical infrastructure and craft standards for protecting the system. The bill has the backing of the White House and Senate Majority Leader Harry Reid (D-Nev.) and is co-sponsored by Sens. Susan Collins (R-Maine), Jay Rockefeller (D-W.Va.), Dianne Feinstein (D-Calif.) and Sheldon Whitehouse (D-R.I.).
But adding another regulatory layer onto the existing matrix of agencies and rules has piqued the concern of Energy and Natural Resources Committee ranking member Lisa Murkowski (R-Alaska).
Murkowski believes the Lieberman bill would grant DHS too much authority to oversee the grid and that what is needed is a more "nimble approach" to ensure that industry can manage the evolving and increasing threats, said Robert Dillon, a spokesman for the senator.

"Some would have us believe that only the Department of Homeland Security and a host of new federal regulations will protect us, but I don't think granting federal regulators broad new powers is the right approach," Murkowski said during opening comments yesterday. "Instead, we need a much more nimble approach to deal with cyber-related threats that are constantly growing and constantly changing."

Dillon said the bill fails to recognize that FERC and NERC already set enforceable cybersecurity standards -- and impose fines -- to ensure the grid can combat cyberattacks.

"Our reading of the bill says quite plainly that the bill would give Homeland Security broad authority to identify and regulate critical infrastructure, and certainly the grid would fall under that," Dillon said.

"Our feeling is that's a third layer of regulation, you already have FERC and NERC. We just think that's unnecessary."

Murkowski has aligned herself with a controversial GOP measure, the "SECURE IT Act" (S. 3342), which would make it easier for companies to share information about cyber threats with each other and with the government, strengthen criminal statutes for cyber crimes and boost existing research programs for cybersecurity. Republican Sens. John McCain of Arizona, Kay Bailey Hutchison of Texas, Chuck Grassley of Iowa, Saxby Chambliss of Georgia, Dan Coats of Indiana, Ron Johnson of Wisconsin and Richard Burr of North Carolina are backing the bill.

Leslie Phillips, a senior adviser for the Senate Homeland Security and Governmental Affairs Committee, disagreed with Murkowski's interpretation. The Lieberman bill, she said, would not interfere with FERC's regulatory authority over the electric grid. Instead, DHS would work with the private sector to beef up grid security.

"The bill would require DHS to work with FERC and other sector-specific agencies and regulators to ensure the cybersecurity of electric companies," Phillips said. "The companies that need to strengthen their cybersecurity would be subject to performance standards developed by DHS, FERC and stakeholders in question -- the sector would determine how to achieve the standards."

Industry response

The electric industry has not yet weighed in on the larger cybersecurity bills moving through the Senate but has joined Murkowski in raising concerns about legislation the committee approved last year.

The panel approved the "Grid Cyber Security Act" (S. 1342), which would bolster FERC's ability to respond to cyberattacks that threaten to take down large swaths of the electric grid. Under the bill, FERC would be authorized to order NERC to revise inadequate standards and set a timeline for new proposals.

The Energy Department would also be allowed to take immediate action to avert a cyberattack and work with other agencies to protect areas -- Alaska and Hawaii -- that fall outside of FERC's jurisdiction.

Joseph McClelland, director of FERC's Office of Energy Projects, said yesterday that FERC needs the authority because the current process is too slow and unpredictable, and the agency must take action before such a threat reaches the grid.

But Murkowski says the committee's bill is no longer relevant to the cybersecurity debate in the Senate and has said she will oppose Bingaman's plan to introduce the measure as an amendment to Lieberman's bill.

The American Public Power Association, which represents municipal and other government-owned utilities, has also raised concerns about the Senate bill.

APPA says the measure could undermine the current process for dealing with cybersecurity issues by allowing FERC to impose a "top-down approach" that could bypass input from industry and other stakeholders, said Joy Ditto, APPA's vice president of legislative affairs.

Under the bill, FERC could approve temporary emergency orders to combat cyberattacks and rescind those orders after the emergency subsides or other standards are developed through a stakeholder process.

APPA is also concerned that the bill would expand FERC's oversight of the electric distribution system, which states currently regulate.

The legislation would allow FERC to reach into the distribution system "in limited circumstances" when systems vital to the nation's security, economy or public health and safety are at risk.

great post RC, The Grid needs to be locked down. so few people realize how vulnerable we are to cyber attack. Thank God my company takes this threat seriously. Our system and firewall are constantly monitered and is a closed network. I worry about other utilities in the Grid. In this case I don't think we need to legislate our way to security, the best approach would be for homeland security, the FBI, CIA, and local law enforcement to stay viligant along with those of us in the field. Report anything out of the ordinary, train government agents and security experts to Monitor web traffic withen our secure networks, work as a team! together we are safe and secure. Silly regulation I feel will only throw mud in the system. whats wrong with working together to share a common goal.