More on protecting the bulk power system

Following up on "The power grid? Why would hackers want to mess with that?":

House Homeland Security Committee Chairman Bennie Thompson and Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology Chairman James Langevin sent a letter late Thursday to Energy and Commerce Chairman John Dingell detailing their recent efforts to review the United States' bulk power systems operators' efforts to secure their information networks.

The BPS [bulk power system] of the United States and Canada has more than $1 trillion in asset value, more than 200,000 miles of transmission lines, and more than 800,000 megawatts of generating capability, serving over 300 million people. The effective functioning of this infrastructure is highly dependent on computer-based control systems that are used to monitor and manage sensitive processes and physical functions... According to the United States Computer Emergency Readiness Team ("US-CERT"), "this transition towards widely used technologies and open connectivity exposes control systems to the ever-present cyber risks that exist in the information technology world in addition to control system specific risks." ...

The risk to these systems is steadily increasing. Ten years ago, the President's commission on Critical Infrastructure Protection ("PCCIP") released a report on the risks associated with interconnected computers systems on the BPS, stating that "the widespread and increasing use of supervisory control and data acquisition systems for control of energy systems provides increasing ability to cause serious damage and disruption by cyber means." Since the release of that study, numerous unintentional cyber incidents -- the Davis-Besse power plant incident in 2003, the Northeast blackout in 2003, and the Browns Ferry nuclear power plant failure in 2006 -- suggest that the concerns raised by the PCCIP were warranted. Malicious actors also pose a significant risk to this infrastructure. The Federal Bureau of Investigation has identified multiple sources of threats, including foreign nation states, domestic criminals and hackers, and disgruntled employees working within an organization.

Clearly, intentional and unintentional control systems failures on the BPS can have a significant and potentially devastating impact on the economy, public health, and national security of the United States. For a society that runs on power, the short term or long term disruption of electricity to chemical plants, banks, refineries, hospitals, water systems, and military installations presents a terrifying scenario. Economists recently suggested that the loss of power to a third of the country for three months would result in losses of over $700 billion...

While the NRC [Nuclear Regulatory Commission] could issue specific requirements for its owners and operators, the Electric Sector was unable to make similar demands... Though NERC [North American Electric Reliability Corporation] testified during the hearing that it sent a survey to industry members to determine compliance with the advisory and received a response from approximately 75 percent of the transmission grid that mitigations had been implemented or were in the process of being implemented, the Commmittee later learned that the survey was not sent until October 19, 2007 -- two days after the hearing...

In fact, all of the utilities interviewed requested additional information to help understand the technical implications of the attack and the specific strategies to mitigate the identified vulnerabilities...

In the interest of national security, a statutory mechanism is necessary to protect the grid against cyber security threats...

We look forward to working with you and your Committee to pass this critical legislation.

With this degree of urgency, perhaps we can hope for a suitable new law within 10 years, at which point the NERC can start drafting regulations with teeth in them...