NERC: Government intervention in electric grid controls 'scary' to contemplate
Government intervention in the electric grid during a cyber attack would be "very, very scary" even if the Defense Department might be justified under such circumstances in shutting down parts of the Internet, said a top bulk power industry figure.
Testifying Feb. 11 before the House Armed Services emerging threats and capabilities subcommittee, North American Electric Reliability Corporation Chief Executive Officer Gerry Cauley said the government taking action to alter the controls of the power grid is "a scary thought."
But, he added that he can "conceive of extreme denial of service attacks on the Internet or some sort of a major cyber concurrent attack on the entire country where intervention by DoD might be beneficial."
The hearing, chaired by Rep. William Thornberry (R-Texas) considered what role the DoD should have in national cybersecurity. Much of the infrastructure critical to the day-to-day functioning of the United States, such as the electrical grid and communications networks, is privately owned.
Government authority as a whole in network security has been an hotly-debated issue, especially following introduction of a bill in 2010 by Sen. Joe Lieberman (I-Conn.) that would give the president authority to order private sector operators of critical infrastructure to "immediately comply with any [cyber] emergency measure or action developed" by the Homeland Security Department, what critics have called a "kill switch." The Senate Homeland Security and Governmental Affairs Committee, which Lieberman chairs, intends to reintroduce the bill this year, its counsel has said.
"Some people have said that maybe the government ought to have the authority in order to shut down Internet traffic to critical infrastructure," said Gregory Nojeim, senior counsel for the Center for Democracy & Technology, during the hearing.
Such an authority would be counterproductive, Nojeim said, since it would be exercised only when a system operator "thinks that it ought not to be shut down." The civil liability protection provision in Lieberman's bill--under which a system operator acting under presidential authority would be protected from lawsuit--could also make industry less responsive to cyber attacks since company officials might hesitate to act until the presidential order comes through, Nojeim added.
Government policy should rather encourage information sharing between the private sector and governmental organizations, he added--so long as "information sharing does not devolve into de facto surveillance through ongoing or routine disclosure of private communications to the government."
NERC is currently working with the DoD and the National Institute of Standards and Technology to develop comprehensive cybersecurity risk management process guidelines for the entire electric grid, including bulk power and distribution, Cauley said. NERC is certified by the Federal Energy Regulatory Commission to establish and enforce reliability standards for the bulk-power system.
"While the majority of technology associated with the 'smart grid' is found within the distribution system, without appropriate safeguards and security processes and procedures in place, vulnerabilities realized within tile distribution system could potentially impact the [bulk power system]," Cauley said in his prepared testimony.
The corporation is also developing a cybersecurity exercise to be held in the fall of this year that will explore what role government should play in a cyber emergency, Cauley added.
Study considers the Geneva Convention in cyberspace
Cyber bill would reform FISMA, instate new DHS agency and appoint White House-level authority
Smart grid cybersecurity standards still lacking, says GAO
Lieberman says Internet cyber attack response crippled by liability woes