“This morning’s hearing is to examine the status of actions taken by the
Federal Energy Regulatory Commission (or FERC), the North American
Regulatory Commission (or NERC) and the states to protect the electric
grid from computer attacks on their facilities and control systems.
“I do not think I need to talk much about the serious nature of this
issue. Last week we experienced a week-long outage in this region. It
was weather-related outage, but it demonstrates how important reliable
service on the electric grid is.
“We read every day of newly discovered attacks or threats on computer
systems in this country and around the world. According to the Director
of National Intelligence, there is been a dramatic increase in the
frequency of malicious cyber activity targeting U.S. computers and
networks, including a more than tripling of the volume of malicious
software since 2009.
“So, the threat is real and it is serious.
“In 2005, we gave FERC the authority to name an entity to develop and
enforce standards to protect the reliability of the grid. I believe that
there are two things that we can say about the system that has emerged
since then.
“First, the current reliability system does have a mandatory character,
so the electric grid is the only critical infrastructure in this country
that has some form of an enforceable standard for cyber security.
“Second, the current reliability system that has emerged is cumbersome
and overly complicated. This may be adequate to deal with reliability
concerns like standards for trimming trees so that they do not fall on
transmission lines. But when it comes to cyber attacks, I am concerned
that the current system is not adequate.
“The process to develop standards started in earnest in 2006, when NERC
filed a series of reliability standards with FERC. A number of them
related to cyber security, and FERC found them wanting. In a series of
filings since then, NERC has corrected some of the shortcomings that the
FERC highlighted. As recently as April, Version 4 of the cyber standards
was approved, with the proviso that NERC address the remaining
inadequacies by the end of the first quarter of next year.
“That means that we are here today in this Committee, seven years after
we passed the law, and we are still waiting for this process to produce
the full set of adequately protective standards that we need. That
cumbersome process has to address a threat whose nature is rapidly
changing, the standards that are in place may not be flexible enough to
deal with emerging threats, and we still do not have an effective system
in place to require action in the face of an imminent cyber attack.
“NERC has developed a system of alerts to help the industry with newly
discovered threats. I’ll have some questions about how that system is
working in practice.
“The
concerns that have prompted this hearing are ones that have resulted in
bipartisan cyber security legislation that we have reported from this
committee in both this Congress and in the last Congress. In 2010,
Senator Murkowski and I agreed on an expedited approach to cyber
security standards, that was centered at FERC and that passed this
committee unanimously. That bill was hotlined for passage in the Senate
at the end of the last Congress; it ran into holds from two of our
Republican colleagues, perhaps more. Last year, Senator Murkowski and I
reworked the proposal into one that featured a greater role for NERC,
but allowed FERC to set effective deadlines for action and also gave the
Secretary of Energy emergency cyber security authority. Once again, that
bill passed this committee unanimously.
“I don’t believe that the cyber threat affecting the grid has gotten any
less serious since last year, when we acted on a bipartisan basis to
pass our legislation out of the committee. In the testimony for today’s
hearing, there are suggestions that there are additional cyber issues
that also need focused attention, particularly with respect to the
implementation of smart grid technologies.
“We need to address these vulnerabilities that are clearly before us.
The bill that passed this committee unanimously would be an excellent
place to start. It did a good job of balancing the need to avail
ourselves of the expertise in industry on these issues with the need to
act expeditiously. Nothing since then has changed the need for clear
authority to deal with immediate emergencies and longer term
vulnerabilities. As we all agreed last year, processes that take years
to bear fruit may be sufficient for less urgent reliability issues, but
not for the challenges we face in cyber security.”
