By Rich Heidorn Jr.
WASHINGTON — It was Congress on its best behavior, for a change.
The House Subcommittee on Energy met Wednesday for the latest in its hearings on cybersecurity in the electric industry. It was a sober, reasoned discussion, in a bipartisan spirit almost unimaginable amid the anger roiling Capitol Hill over President Trump’s candidates for the Supreme Court, EPA and other cabinet offices.
“Downstairs we’re fighting like cats and dogs, but in this subcommittee, on this issue, we’re hugging each other,” said Rep. Joe Barton (R-Texas).
The subcommittee’s nearly two-and-a-half-hour session wasn’t a complete cease-fire zone. Rep. Frank Pallone (D-N.J.) railed over Trump’s decision to add controversial political strategist Stephen Bannon to the National Security Council’s Principals Committee while “apparently” excluding the secretary of energy. This, Pallone said, despite Congress’ approval of legislation two years ago to make the secretary the lead federal official responsible for electric grid security.
“Essentially, President Trump has chosen his top political security adviser over the nation’s top energy security adviser — and that’s a recipe for disaster,” Pallone fumed.
But that was the exception, as a panel including NERC CEO Gerry Cauley brought the panel up to speed with discussions of the 2015 attack on utilities in Ukraine, the discovery of malware on a Vermont utility’s laptop and the cybersecurity talent pool.
“The reliability of the bulk power system has improved over the last 10 years,” Cauley said, citing data on the number and severity of outages. “We’re always learning from every single event: small, medium and large.”
Cauley’s other panelists — SPP Vice President for Information Technology and Chief Security Officer Barbara Sugg; Scott Aaronson, the Edison Electric Institute’s executive director for security and business continuity; and Chris Beck, chief scientist and vice president for policy for the Electric Infrastructure Security Council — generally agreed. In response to a question from Barton, all graded Cauley’s leadership an “A.”
But Rep. David McKinley (R-W.Va.) was unconvinced.
“We’ve been told that ‘Everything is going to be fine. Everything’s under control,’” McKinley said, recounting hearings he has attended over his six years in office. He quoted UCLA basketball legend John Wooden’s admonition against confusing effort with accomplishments.
McKinley also repeated testimony two years ago by Thomas M. Siebel, founder of Siebel Systems, who said he and a team of 10 engineers from the University of California Berkeley could shut down the grid between Boston and New York within four days. “Now that was after all the testimony about all the safeguards we had in place. So is Mr. Siebel wrong?” he asked.
“I don’t think any of us today are saying it’s 100% under control,” responded Aaronson, speaking on behalf of the Electricity Subsector Coordinating Council. “While an attack that has an impact is always within the realm of the possible, the resiliency and redundancy that has grown up, and the ability to respond … makes me a lot more comfortable in our ability to deal with these sorts of [threats].”
Interdependence
A recurring theme in the panel’s comments was interdependence. They cited generators’ need for cooling water, the use of trains and trucks to transport spare transformers, and grid operators’ reliance on the telecommunications and financial services industries.
“I don’t ever expect there’s going to be an attack that’s just on the grid,” said Cauley, who added that the electric industry must increase its coordination with other sectors.
Beck agreed. “Simultaneous attacks on the oil and natural gas subsector, on water systems, communications, government, emergency response or other infrastructures could both create new categories of severe disruption and seriously complicate power restoration operations,” he said in his opening statement.
“In the aftermath of a natural disaster, response activities typically commence once the immediate danger has passed. In a cyberattack scenario, it is possible, or even likely, that the attacker could launch subsequent attacks to disrupt response and recovery efforts and/or cause further damage.”
Information technology and operational technology “professionals, however, are typically a limited resource. In a large enough attack, availability of such expertise will likely be too limited to address the need. In addition, especially given the problem of sustained or follow-on cyberattack, CEOs may be reluctant to flow critical personnel to assist others when they might be the next target. To bolster the intra-electric sector mutual support, external support is also necessary.”
The speakers also cited concerns over the supply chain for equipment used on the grid and “Internet of Things” consumer devices that could be vulnerable to hackers.
“I think we should put more emphasis on the manufacturers and really hold them accountable for developing things that are easy to maintain security with — not things that you just plug in and forget about,” said Sugg, representing the ISO/RTO Council. She said that certification of equipment could help.
“We used to buy a relay for the system and it would just be a couple of contacts and a core of copper wire,” said Cauley. “Now you have a box and it has 10,000 lines of code,” making them vulnerable to being reprogrammed by hackers. “So I think we have to think about long-term partnerships with suppliers, vendors and manufacturers in terms of building better security into systems.”
Fast Act
In response to lawmakers’ questions, the panelists said they welcomed the Fixing America’s Surface Transportation (FAST) Act of 2015, which amended the Federal Power Act to designate the Energy Department as the lead federal agency for energy sector cybersecurity. It also gives the secretary of energy authority to take emergency actions to protect the grid.
Cauley said the law corrected the lack of clarity on how the federal government would respond in a grid security emergency and increased protection of sensitive information. To comply with the law, FERC in November approved a rule updating its processes for the handling of Critical Energy Infrastructure Information (CEII). (See FERC OKs Information Security, FOIA Rules.)
Aaronson said the law “further solidifies the relationship” between industry and the federal government.
Pros and Cons of Distributed Generation
In response to a question from Rep. Jerry McNerney (D-Calif.), Cauley said he was “deeply concerned” about distributed generation, saying that while it can provide resiliency to the grid, its equipment is more vulnerable to hacking. In October, major websites were hit with a distributed denial-of-service attack that used thousands of Internet-connected devices such as cameras, baby monitors and home routers.
“The challenge is that all the devices are communicating with something else, and in some cases they’re much closer to the Internet than the bulk power grid,” he said. “So it’s going to create a much greater surface to attack and create multipliers in the attack. When you have common devices that are out there, instead of there being three breakers of a certain model, there’s 1.5 million devices that are exactly the same and could be simultaneously hacked.”
Three Incidents
The panelists also commented on several other recent incidents, including the April 2016 power outage in D.C., the December 2015 attack on utilities in Ukraine and the discovery of malware on a utility’s laptop in Vermont.
The power outage that darkened the White House and much of D.C. on April 7 was caused by the failure of a 230-kV lightning arrester at a substation 40 miles south of the capital. (See Failed Lightning Arrester Caused April Outage.)
Aaronson recalled that in the first hour after the lights went out, the cause was unclear. He said Pepco Holdings Inc. officials got on the National Incident Communications Conference Line with the Department of Homeland Security and White House officials, allowing the White House press secretary to announce that it was not the result of terrorism.
He said a real cyber incident would result in “immediate high-level coordination between the ESCC and industry CEOs along with senior government and NERC officials and the team from the Electricity Information Sharing & Analysis Center, which manages the Cybersecurity Risk Information Sharing Program.
When a Vermont utility found malware associated with Russian hackers on a laptop in December, Aaronson said, 30 top utility CEOs were on an emergency conference call within four hours. “That is exactly the way it’s supposed to happen,” he said.
Ukraine
Cauley expressed confidence that the utilities under NERC’s authority would not have fallen victim to the attack that knocked out power to 225,000 customers in Ukraine for several hours in December 2015.
The hack had been set in motion in the prior spring, when attackers entered three Ukrainian electric distribution companies through infected Microsoft Office files. After gaining entry, the hackers spent six months conducting reconnaissance and testing before taking control of the systems in late December. (See How a ‘Phantom Mouse’ and Weaponized Excel Files Brought Down Ukraine’s Grid.)
Cauley acknowledged that the spear phishing technique used to get into the utilities in Ukraine is “the greatest vulnerability we have.” But he said the attack would not have been successful here.
“We would not allow that software to go unchecked and for the perpetrators to get elevated credentials so they could actually operate the system. Those are extreme violations of all our rules,” he said.
Workforce
Rep. Bobby Rush (D-Ill.) asked whether the industry was having trouble attracting talent to its mission, citing an estimate by the Institute of Electrical and Electronics Engineers of 1 million unfilled cybersecurity engineering jobs worldwide.
“It’s a challenge. There are a lot of needs and not a lot of people to fill it,” Aaronson acknowledged. “This is something that’s going to require a long-term, concerted effort, starting with STEM [science, technology, engineering and math] education and moving up to attracting the workforce to this particular critical infrastructure industry.”
Sugg said the industry is addressing the problem by partnering with universities to develop relevant curriculum. “Universities are producing some really skilled graduates that challenge our way of thinking about security in a very healthy way,” she said.
Beck said another challenge is breaking down communication barriers resulting from “stove pipes and tunnels.” Stove pipes — or silos — can inhibit communication between government agencies and infrastructure sectors. Tunnels refer to the levels of decision-making.
“So CEOs understand each other and they have a certain view of the situation. The engineers that work on cybersecurity have a different understanding,” he said. “We need to … break down both silos and tunnels so that there’s a common operating picture and mission.”