New cybersecurity bill for electric grid readied
Legislation follows report that said cyberspies gained access to U.S. electrical infrastructure
April 28, 2009 (Computerworld) Amid growing concern over the vulnerability of the U.S. electric grid to cyberattacks, two lawmakers are preparing to introduce new legislation aimed at bolstering the industry’s responsiveness to such threats.
The Critical Electric Infrastructure Protection Act is scheduled to be introduced on Thursday by Sen. Joseph Lieberman (I-Conn.), chairman of the U.S. Senate Committee on Homeland Security and Governmental Affairs, and Rep. Bennie Thompson (D-Miss.), chairman of the U.S. House Committee on Homeland Security.
A brief statement issued by the house committee today described the proposed legislation as one that would primarily empower the Federal Energy Regulatory Commission, an independent agency that regulates the interstate transmission of gas, oil and electricity, to issue “emergency rules or orders” if a cyberthreat is imminent.
The rules or orders may be issued if the Secretary of Homeland Security determines that a national security threat exists, the statement said. It did not, however, clarify what kind of rules and orders the proposed bill is specifically referring to.
In addition, the bill would require the commission to assess existing cybersecurity standards within the electric sector and establish new standards, as needed, for dealing with cyberthreats. It would also require the Department of Homeland Security to conduct an investigation to determine if the electric infrastructure has been compromised by outsiders.
The proposed legislation takes a “common sense” approach to tackling critical issues with electrical infrastructure security, Thompson is quoted as saying in the release. “Any failure of our electric grid, whether intentional or unintentional, would have a significant and potentially devastating impact on our nation,” he said.
The legislation follows a report published earlier this month by The Wall Street Journal that described how cyberspies from China, Russia and elsewhere have gained access to the U.S. electrical grid and installed malware tools that could be used to shut down service.
The story, which quoted unnamed national security and intelligence sources, described the attackers as having deeply penetrated the power infrastructure and poised to cause major disruptions in the event of a crisis or war.
Over the past few years, several others also have warned about the vulnerability of the power infrastructure. In 2007, the Idaho National Laboratory prepared a demonstration for the Department of Homeland Security in which a software vulnerability in a Supervisory Control and Data Acquisition (SCADA) system was used to cripple a generator.
A video of the demonstration that showed the generator being reduced to a smoking, shuddering hunk of metal aired on CNN, and still remains one of the most potent symbols of just what can go wrong if the power infrastructure is attacked in a cyberwar.
Concerns have prompted calls for mandatory security controls for some time now. For instance, a broad cybersecurity bill introduced recently by Sens. Olympia Snowe (R-Maine) and Jay Rockefeller (D-W.Va.) calls, among other things, for regulations mandating baseline security standards in critical infrastructure industries such as the power sector.
The Center for Strategic and International Studies (CSIS), which in December delivered a set of cybersecurity recommendations for President Obama, also called for similar regulations in the electric sector.