Grid cybersecurity requires constant vigilance, say U.S. senators, FERC chairman

Published on May 16, 2018 by Kim Riley

© Shutterstock

Unceasing, prioritized cybersecurity is essential to protecting the country’s energy infrastructure and electric grid against cyberattacks, top United States government officials said recently.

Comments from U.S. Sens. Martin Heinrich (D-NM) and John Hoeven (R-ND) and from Kevin J. McIntyre, chairman of the Federal Energy Regulatory Commission (FERC), made during separate and publicly broadcast May 10 Washington Post interviews, covered the security of America’s energy grid, how to combat cyber threats, and what Congress should do beyond U.S. Energy Secretary Rick Perry’s proposed Office of Cybersecurity, Energy Security, and Emergency Response, which would coordinate the nation’s cybersecurity response.

“One of the things … the Congress should do is create a cyber doctrine,” said Heinrich, Ranking Member of the U.S. Senate Armed Services Subcommittee on Emerging Threats and Capabilities. “Create a stance that we project to the world and say where some of our red lines are — where are we going to draw the line when a foreign actor interferes in our critical infrastructure?”

For instance, like when Russia’s alleged cyberattacks on the U.S. electric grid occurred, likely in 2016 or earlier, according to a March 15 joint alert issued by the U.S. Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI).

The alert was the federal government’s first-ever public accusation that Moscow had hacked multiple American infrastructure sectors, including energy, water, nuclear, aviation, commercial facilities and manufacturing. The direct response by the Trump administration was designed to stop Russia’s cyberspace intrusions, which according to the DHS/FBI alert included a multi-state campaign “by Russian government cyber actors” in which “they staged malware, conducted spear phishing, and gained remote access into energy sector networks.”

A cyber doctrine resembling the existing nuclear doctrine between the U.S. and Russia would ensure “both understood where the other stood and where the red lines were, and what the sort of state of play was and where the places you just can’t go are,” said Heinrich, who also serves on the U.S. Senate Energy and Natural Resources, Intelligence, and Joint Economic Committees.

“We don’t have that in cyber right now and it’s really important if you’re going to have deterrents,” he said.

Hoeven, who also sits on the Senate Energy and Natural Resources Committee, said his colleague’s idea “certainly makes sense,” but cybersecurity also is something “we’re all going to have to keep working on, on an ongoing basis because it’s such a dynamic area.”

Hoeven, who has been leading efforts to develop a comprehensive national energy plan, including serving as the leading advocate for approving the Keystone XL pipeline, pointed out that it’s “harder to play defense than it is to play offense,” particularly when not only Russia, China, Iran, other state actors, and non-state actors “are trying to hack into our grid system — everything from energy to our other governmental systems, to private business systems,” the lawmaker said.

“This has to be an all-of-government issue,” Hoeven suggested. “We want good coordination. I think largely that comes through [the Department of] Homeland Security and the military. And we’ve got to make sure we continue to coordinate with the private sector.”

Added Heinrich, referring to over-arching cybersecurity leadership: “Somebody within the administration does need to own it.” He thinks there should be a cyber command component added to the U.S. Department of Defense “so you have someone at DOD fully capable of knowing when to engage and say, ‘There are going to be consequences.’”

And what should those consequences be?

“We have to push back on anyone that meddles with our elections,” like the Russians did in 2016, said Hoeven. “That’s not acceptable. So whether it’s Russia or anyone else that meddles in our elections, of course we have to push back on that. All options on the table, you know, in any kind of confrontation.”

On the contrary, Heinrich said, the U.S. needs to figure out how “we’re going to project to them — okay, what do we consider meddling and what do we consider a truly hostile act of war? Because they need to know where those red lines are, too. And right now, I don’t think they know that. And they have a very lean-forward approach to cyber work.”

Ongoing cyber-awareness
FERC Chairman McIntyre, who only recently was sworn in on Dec. 7, 2017, also was asked about cybersecurity, specifically whether he had a strategy for preventing intrusions like the Russian campaigns to insert malware into the U.S. energy infrastructure.

“I agree with something that was said by Senator Heinrich,” McIntyre said, “that the day is not going to come when we may declare victory, at least in our lifetimes, over cyber problems. It is a matter that commands constant vigilance.”

McIntyre added that FERC staffers are “constantly vigilant” about cybersecurity and are in “increasingly close coordination” with other federal government agencies, including the U.S. Department of Energy.

“We monitor this stuff all the time because the threats are real and involve highly sophisticated players, state actors, and other entities that mean us harm as a nation, as an economy, mean to harm our national security and mean to harm our populace,” McIntyre said. “We need to pay constant attention to it.”

Congress in 2005 gave FERC oversight authority for the nation’s electric reliability, he pointed out, and directed FERC to put an organization in charge of setting regulations that assured reliability — the North American Electric Reliability Council (NERC).

NERC subsequently has developed what McIntyre called a robust and widespread system of reliability standards that include cyber protection.

“So this is something that gives us an official function in monitoring and asking ourselves constantly whether that suite of regulations, reliability standards, is doing what is intended in terms of the protection of our grid from a cyber standpoint,” he said.

And as the number of connection points with the grid have grown, so too have the points of vulnerability, creating “a real concern,” added McIntyre.

“In fact, we talk about a lot of technological advancements in energy leading to what we often hear referred to as the smart grid,” he said. “It’s possible that in certain respects our smart grid is a little too smart and that it’s a little too electronically accessible. There might be certain areas where we need to dumb down our grid a little bit for cyber protection reasons.”