Congress struggles to secure nation’s power grid

Policymakers are searching for ways to defend the nation’s power grid from a major cyberattack, amid concerns the industry’s digital defenses are dangerously lagging and underfunded.

Security experts warn that energy companies, while attuned to the threat, are scrambling to play catch-up, leaving the all-important power grid exposed to hackers.

On Capitol Hill, the threat of a major power grid hack has mostly gone with little notice, sidelined by the bold cyberattack on Sony Pictures Entertainment, a series of hacks across the health insurance industry and the devastating intrusions at the Office of Personnel Management (OPM), thought to be the largest ever digital theft of government data.

{mosads}But while the chances of a headline-grabbing cyberattack hitting the energy system remain minimal, the damage could easily surpass any of the digital assaults that have driven the cyber talks on Capitol Hill this year.

“Just because something is a low probability doesn’t mean it’s going to be low impact,” said Stephen Boyer, co-founder of security firm BitSight.

“The whole idea of the grid is crucial,” emphasized Rep. Sheila Jackson Lee (D-Texas), who is backing a bill to prioritize power grid cybersecurity. “It is the backbone of America’s industry and social life or quality of life for our citizens. Therefore a grid that is attacked is your water, it’s your sewer, it’s your electricity.”

And according to researchers, the industry isn’t fully prepared to stymie sophisticated hackers.

“There are definitely some risks and some gaps,” said Boyer, whose company rates cybersecurity preparedness at thousands of firms, including many within the energy and utilities sector. “Those that are making policy decisions need to account for that when we’re trading off where we’re going to make investments.”

In recent years, cyber spies and overseas hackers have increasingly turned their attention to the U.S. power grid. In 2014, the energy sector was the most targeted of the nation’s critical infrastructure industry sectors, accounting for a third of cyber incidents, according to a government report.

National Security Agency (NSA) Director Adm. Michael Rogers acknowledged in a congressional hearing that China and likely “one or two” other countries are currently sitting on the grid, with the ability to literally turn out the lights if they wanted to.

Rogers said these states, which likely include Russia and possibly Iran, “are deterred only by the fear of U.S. retaliation.”

But, he added, “We can’t count on the fact that less rational actors might also gain access to those critical systems.”

The comment was a reference to the growing cyber capabilities of unpredictable states like North Korea — which was blamed for the bruising cyberattack on Sony Pictures Entertainment last year — and digitally savvy extremist groups like the Islamic State in Iraq and Syria (ISIS).

A top Department of Homeland Security (DHS) official recently told energy firm executives at a conference that ISIS “is beginning to perpetrate cyberattacks.”

And the results could be catastrophic.

Researchers at the University of Cambridge and insurer Lloyd’s of London recently estimated that a grid blackout across 15 states and Washington, D.C., would cost the economy hundreds of billions of dollars, raise mortality rates at failing hospitals and disrupt the country’s water supply as electric pumps shut down.

Industry officials are well aware of this threat. But Boyer said an assessment of energy generation companies from security firm BitSight revealed concerning deficiencies.

Out of all sectors BitSight analyzed, the energy and utilities sector had the largest percentage of servers with encryption problems, Boyer said.

For example, the sector trails others in eradicating the potentially catastrophic Heartbleed security bug, a widely publicized encryption flaw uncovered over a year ago that left much of the Internet’s sensitive data exposed to hackers.

Overall cybersecurity, energy and utilities firms ranked down near the healthcare industry, which is coming off a year of mega breaches at top health insurers like Anthem and Premera Blue Cross. It was also graded slightly worse than the retail sector, which touched off the wave of high-profile breaches with hacks at Target and Home Depot.

“Are they not understanding what their assets are? Are they not responding? Are they just not aware?” Boyer asked. “I don’t know all those reasons.”

The energy industry argues it is aggressively moving to keep pace with cyber threats.

The Electricity Information Sharing and Analysis Center (E-ISAC) is one of the country’s few long-established ISACs — sector-specific hubs that compile, assess and disseminate data on hacking threats.

Last week, more than 350 companies came together for a two-day stress test of the power grid’s ability to detect and deflect the worst-case physical and digital attacks. It was the industry’s third exercise in the last five years, and drew a wide range of participants, including electric generators, transmission companies, law enforcement officials and federal government agencies.

In every successive exercise, cyberattacks have become a more prominent part of the exercise.

“Threats are constantly changing and emerging, and our ongoing cyber and physical security efforts help assure the system is more secure,” said Gerry Cauley — president of the North American Electric Reliability Corporation (NERC), which organized the stress test — in a statement.

A report detailing the outcome of the test is expected sometime early next year.

Meanwhile, grid security has started to catch the attention of lawmakers and presidential candidates alike.

On the campaign trail, Democratic front-runner Hillary Clinton released a sweeping plan to upgrade the power grid that would create a new presidential team to coordinate cyber threat assessment and response efforts between the government and energy industry.

On Capitol Hill, Congress is locked in a funding battle that some say is vital to ensuring the grid’s security.

Lawmakers face a Dec. 11 deadline to move a slate of spending bills, including the Energy and Water Development appropriations bill. The measure funds an Energy Department program, known as the Cybersecurity for Energy Delivery Systems, to research and develop tools to shield the grid from digital assaults.

The House-passed bill would boost funding for the program by $8.5 million over last year. The Senate version would keep the program at its 2015 levels, denying the White House a requested $6 million increase.

Jackson Lee believes Congress must go past funding increases, though, and make the power grid a top cybersecurity priority.

Her bill does just that, she told The Hill. The Terrorism Prevention and Critical Infrastructure Protection Act would direct DHS to work with critical infrastructure companies to boost their cyber defenses.

“It puts the grid in a priority position,” said Jackson Lee, a senior member of the Homeland Security Committee and ranking member on the Judiciary Committee’s Subcommittee on Crime, Terrorism, Homeland Security, and Investigations. “A priority position to ensure that we vet and provide the structures of guidance for how this grid across the nation should be protected.”

Both parties and industry officials have responded favorably to the measure, Jackson Lee said. She’s targeting 2016 to try and get it on the floor.

“We want to make sure that we do it in a way that members view this as an important element of national security,” she said.