Mechanisms should be put into place that allow for adequate, actionable information sharing among utility cyber security specialists and government agencies charged with monitoring security threats, a group of government and industry self-regulatory officials said today during a hearing held by the Senate Committee on Energy and Natural Resources.”There should be a mechanism in place for sharing that [cyber threat] information in a timely and effective manner,” Gregory Wilshusen, Director of Information and Technology at the General Accounting Office (GAO) said during his testimony.
The widely recognized problem in sharing information about cyber threats was documented in a GAO study, which found that sensitive national security-related cyber threat information wasn't being filtered down to electric utilities. “The information that DHS provided was not meeting the expectation of their private partners. The information was not actionable and timely,” Wilshusen said.
“The information is ad hoc across agencies,” Gerry Cauley, President and CEO of the North American Electric Reliablity Corporation (NERC) testified. “We have very limited access to clearances within the industry, particularly on the top secret side.”
“We hear from our utilities that it is a one-way information street,” Todd Snitchler, Chairman of the Ohio Public Utilities Commission said, referring to the frustration utilities experience in not gaining early knowledge about threats well-know among federal security organizations. Also hindering the flow of two-way information is fear of liability or exposure when they do report threats to state or federal authorities. “Anonymous sharing would help,” Snitchler added.
Although minimum technical standards, such as those developed by NERC or under development by the National Institutes of Standards and Technology (NIST) are essential for maintaining adequate cyber security, flexibility to respond to unique threats in fluid situations is equally essential.
“Individual entities have to have the latitude to have the directive but not be so prescriptive as to tie them into a certain response,” Joseph McClelland, Director of the Office of Electric Reliability at the Federal Energy Regulatory Commission said. “The standard needs to compel action but provide latitude.”
Multiple layers of standards and instructions are needed to provide that flexibility, Wilshusen said. “You don't want to have to change the standard when a new threat comes along.”
Committee Chair Jeff Bingaman (D-NM) pressed the witnesses to address the threat of electromagnetic pulses (EMP) to the power grid from enemy attack or solar flares, an issue raised last week by former Republican Speaker of the House Newt Gingrich in a widely published op-ed piece following the Northeast storm-induced power outages. McClelland said that coordinated studies need to be done and standards need to be developed to address EMP threats.
Bingaman was not, however, satisfied with this reponse. “I get this feeling we might be studying this issue while the electric grid collapses,” he said.
Senator Al Franken (D-MN) probed the issue of supply chain threats given that many of the components, such as semiconductors, that make up the new digital grid are manufactured in countries, such as China or North Korea, which may have a vested interested in monitoring or controlling the U.S. Grid. Wilshusen conceded that supply chain threats are real. “IT supply chain is a vulnerability. We looked at several agencies, DHS, Energy and Department of Defense and we found that agencies haven't adequately developed mechanism to address that vulnerability.”
The hearing took place in advance of a compromise cyber security bill that the Senate will likely begin considering by the end of next week. Championed by Joseph Lieberman (I-CT), the legislation will focus on information sharing among critical infrastructure industries and federal agencies. Lieberman and the Obama Administration have been pushing for legislation that allows the Department of Homeland Security to impose minimum, mandated security requirements on critical infrastructure, including utilities.