The physical and economic vulnerabilities of the grid have been known for some time. Industry and government officials have focused in recent years on the possibility of a cyberattack disrupting or crippling America’s power system. This is an issue that has also captured the attention of leading members of the US Senate, including Lisa Ann Murkowski of Alaska.
On March 27, 2014 Senator Murkowski of Alaska asked for and was granted permission to address the United States Senate on a matter concerning the vulnerability of the electric grid to attack.
What she said in this regard was absolutely shocking ( no pun intended):
“Mr. President, first, I thank my friend from Maine and appreciate the conversations we have had in this past week. He has taken a journey to the north that most of us only dream about. He is engaged in issues I care deeply about as it relates to the Arctic. Although I know that was not the discussion my colleague was speaking to earlier, I just wanted to note while my friend from Maine was still on the floor that I look forward to working on these issues of great importance not only to my State but truly to our entire Nation and Arctic Nation.
I come to the floor this evening to speak very briefly about the physical security of our Nation’s power grid, which is a very important subject. Recently, there were stories in the Wall Street Journal about an attack on the California Metcalf substation that happened last April and has drawn considerable attention. While those stories about that attack highlighted potential vul ner a bil i ties, my principal focus will be to highlight not only the safeguards that are already in place to protect the Nation’s bulk power system but also to announce a step that I believe is now necessary to prevent the undue release of sensitive nonpublic information.
First and foremost–and I think this is important for people to recognize–it is important to remember that during the Metcalf incident, the PG&E system did not lose power. In fact, it was an incident that many didn’t know had taken place until months after because there was no loss of power. I think this fact emphasizes the grid’s resiliency and the importance of building redundancy into the bulk power system.
As usual, the electric industry has learned from and responded to–appropriately responded–the California incident. At the end of last year the Departments of Energy and Homeland Security–along with the North American Electric Reliability Corporation, or NERC, along with the Federal Regulatory Commission, or FERC, and the FBI began a cross-country tour of 10 cities in order to brief utility operators and local law enforcement on the lessens that were learned from Metcalf. Government officials discussed mitigation strategies and meeting participants were able to develop some pretty important relationships between first responders and the industry.
In fact, as a result of the mandatory requirements of the 2005 Energy Policy Act, the electric industry has invested significant resources to address both physical and cyber security threats and vul ner a bil i ties. Through partnerships with various Federal agencies, the industry is keenly focused on preparation, prevention, response, and recovery.
For example, NERC holds yearly security conferences and a grid exercise which tests and prepares industry on physical and cyber security events. Yet former FERC Chairman Jon Wellinghoff was quoted in the Wall Street Journal calling the Metcalf incident “the most significant incident of domestic terrorism involving the grid that has ever occurred.”
In my view, comments such as these are certainly sensational. Depending on the factual context, they can actually be reckless.
Although the topic of physical security warrants discussion–absolutely warrants discussion and debate–we have to be prudent about information for the public sphere. Many government leaders are privy to confidential and sensitive information that if not treated carefully could provide a roadmap to terrorists or other bad actors about our vul ner a bil i ties. At a minimum, government officials have a duty to safeguard sensitive information that they learn in their official capacity.
A story that appeared in the Wall Street Journal on March 13 was, I believe, shocking because it included sensitive information about the Nation’s energy infrastructure that the newspaper said came from documents that were created at FERC. Although the Wall Street Journal did not name specific facilities at risk, it did detail the geographic regions and the number of facilities that if simultaneously disabled could cause serious harm. The March 13 article claimed the potential for a national blackout. I want to commend FERC Chair Cheryl LaFleur for her statement regarding the publication of this information. I thank Commissioner Tony Clark as well for his statement about the matter.
I think it is fortunate our current FERC Commissioners are an independent lot. I understand that the Commission is looking into this matter, including the question of how sensitive internal FERC documents made their way into a very high-profile news article. I urge FERC to be very diligent in this matter and truly leave no stone unturned.
I have grave questions about the irresponsible release of nonpublic information that unduly pinpoints potential vul ner a bil i ties of our Nation’s grid. If this conduct is not already illegal, I have suggested it should be. The source of the leaked information appears to be someone with access to highly sensitive, narrowly distributed FERC documents. Releasing this sensitive information for publication has put the Nation potentially at greater risk and potentially endangered lives, including those of the many good people who are faithfully working every day to maintain and to protect the grid.
In order to learn what has happened and to determine how better to safeguard critical information as steps are being taken to make the grid less vulnerable, my colleague, the chairman of the energy committee, Senator Landrieu, and I have written to the inspector general of the Department of Energy whose oversight includes FERC.
It is our understanding that the IG has already begun an inquiry into this matter. We have asked him to conclude his inquiry as soon as possible. We have also asked for his immediate assurance that if the inquiry must ripen into an investigation, that he will–as we have every confidence he would–follow the information he learns wherever it leads.
We are eager to receive recommendations to improve the safeguard of keeping sensitive information from disclosure.
We have also asked the IG to look into the obligations of current and former FERC Commissioners and employees with respect to nonpublic information. I would certainly hope the inspector general’s inquiry leads to the identification of the person or persons who provided this sensitive, nonpublic information to the media, but even if it does not, even if we learn the leak of this information could have been accomplished without the violation of any disclosure restrictions, we will consider introducing legislation to make sure that in the future the disclosure of nonpublic information about our energy infrastructure that puts our Nation at risk is a violation of Federal law. We must remember that the possibility of a physical attack that disables key parts of the grid has always been a risk. Again, in this instance, though, with the Metcalf instance, our system worked and no power was lost. Therefore, I urge a measured approach when evaluating our next steps in response to Metcalf. Erecting barriers at every transmission substation and surveillance of every inch of transmission is not feasible. I am concerned these types of measures will potentially cost billions of dollars with little impact. There must also be a balance between the measures related to physical security and the costs that would likely be passed through to consumers.
On March 7, the FERC used the grid reliability framework that Congress established in the 2005 Energy Policy Act by directing NERC to establish standards addressing physical vul ner a bil i ties to better protect our Nation’s power grid. NERC has 90 days to develop its proposed standards through a collaborative process. The proposed standard will then be reviewed independently before it is submitted to the FERC.
Our Energy Policy Act standards are foundational. Constant information sharing between government and industry, coupled with alerts for rapid response, are also key tools for dealing with the changing state of security.
As policymakers we must include physical security as a key issue in our decisions. We must also take measured steps to protect the grid, but we shouldn’t sensationalize the threat. I commend NERC and FERC for starting the standard-setting process, and I urge all of the participants to strike this balance between measures related to physical security and costs and benefits for electric customers and the broader public as a whole.
Again, I thank the chairman of the energy committee for her willingness to join me on this letter which again I feel is very important as we begin this review through the inspector general. I know the Presiding Officer, as a valued member of the energy committee, is very keenly aware of these issues when we talk about our grid reliability threats to not only the physical security of our infrastructure but most certainly the cyber security threats we face as well.
I appreciate the indulgence of the Chair this evening” (source: Congressional Record http://thomas.loc.gov/).
See related article: How vulnerable is America’s power grid to a planned assault?http://www.cbsnews.com/news/how-vulnerable-is-americas-power-grid-to-a-planned-assault/