Weighing online and physical threats to the nation’s electricity grid and other vital industries, senators said this week they were working with the Department of Homeland Security to craft a re-organization of its infrastructure protection function.
“We are working hard to streamline and strengthen the office within Homeland Security that helps to protect critical infrastructure,” Sen. Thomas Carper told a Senate Homeland Security and Governmental Affairs hearing, referring to the National Protection and Programs Directorate, or NPPD, which houses the National Cybersecurity and Communications Integration Center. NCCIC is where the DHS keeps watch on the computer networks that run the government and the country’s vital infrastructure, like the telephone and rail system, water utilities and banks.
Senators heard about some worst-case scenarios from longtime journalist Ted Koppel, who has recently written a book about a cyberattack on the power grid — something experts have been warning about for more than a dozen years.
“The Chinese and Russians have already mapped and probed our electrical systems. Iran and North Korea are not far behind,” Koppel stated. “My message is simple: The nation cannot wait for a cyberattack on the grid that could deprive tens of thousands of Americans of electricity for weeks or even months.
“Is the nation at risk of a crippling cyberattack? I believe the answer to be yes.”
Speaking about the NPPD, Carper said, “My staff and I have been working to streamline this office so that it can better partner with industry. We do this by elevating our cyber function so that threats to industry can be assessed jointly.”
Department officials are pushing a reorganization plan that would create three operational elements within a renamed NPPD: an office of infrastructure protection; an “elevated and enhanced” NCCIC for U.S. cybersecurity; and the Federal Protective Service, the special police force that guards federal buildings.
In line with that plan, Carper called on Congress to change the name of the NPPD to the Agency for Cyber and Infrastructure Security, with the goal of making it the go-to place within government where industry can turn for help should a piece of the critical infrastructure, in the electrical grid or elsewhere, be attacked.
“The first thing is that we have to recognize that this possibility [of a devastating attack] exists, or we will never take the first steps to protecting ourselves,” Committee Chairman Sen. Ron Johnson, R-Wis., said.
Managing Director of Cyber and Infrastructure Security for the Edison Electric Institute Scott Aaronson agreed with Koppel’s bleak assessment of the possibilities, but stressed that the electrical industry was working on response planning.
“Electric companies have to be right 100 percent of the time,” Aaronson said. “The attackers only need to be right once. Given those odds, it makes sense to be prepared for an attack.”
Aaronson stressed that the industry was currently protected by what he described as a three-legged stool of security. The first leg is the North American Electric Reliability Corporation Critical Infrastructure Standards, or NERC CIP, which all power generation and transmission companies must comply with to avoid facing huge fines. And while he stressed that compliance with NERC CIP did not equal total security, that it goes a long way to implementing basic standards and practices for the over 3,200 different organizations that own and manage the country’s electrical generation and transmission capacity.
The second part of the security platform is the coordination of efforts between government and industry, something that Aaronson stressed was happening now at an unprecedented level, and that is expected to continue and even increase for the foreseeable future. Finally, the third leg involves electrical industry partnerships with other nongovernmental agencies that could help out in the event of an attack. One example used was the Spare Transformer Equipment Program in which railroads would ship auxiliary transformers, many of them weighing over 400,000 pounds, to power plants that have been damaged by an attack.
Other suggestions made by the committee included items not directly related to protecting the electrical grid from an attack, but instead on how to mitigate the damage in the event of a crippling attack. They included stockpiling food supplies and the drafting of interstate coordination plans for potential evacuees. It was also suggested that the electrical industry learn how to fall back to a more manual transmission system should the cyber infrastructure become crippled.
Adjutant General for the State of Wisconsin’s National Guard Major General Donald P. Dunbar pointed out that analog backups have worked in other places.
“Looking at the recent cyberattack in the Ukraine, although their infrastructure is not on par with the United States, they were able to switch to manual backup,” Dunbar said. “Although their cyber grid may still be infected, the actual disruption of the electrical grid only lasted six hours.”
It was almost universally agreed by witnesses and committee members that the threat against the country’s infrastructure was real, and that a devastating attack is not only possible, but also likely in the not-so-distant future. The only question was how prepared the United States would be to respond to, prevent or mitigate such an event.