The U.S. electricity grid is dangerously vulnerable to sabotage by hackers, spies and terrorists, despite a seven-year effort to protect it from cyberattacks, senators and officials said Tuesday.
With senators differing on the degree of regulation required, the warning comes as the deadline for them to act on a cybersecurity bill before the August recess draws near.
The system for setting and enforcing cybersecurity standards for the nation’s electricity grid is “cumbersome and overly complicated,” Sen. Jeff Bingaman, chairman of the Senate Energy and Natural Resources Committee, said as he opened a hearing on the issue.
Set up by the 2005 Energy Policy Act, the system is “not adequate” for protecting the huge and complex power network from an attack via the Internet, the New Mexico Democrat said.
“Seven years after we passed the law … we are still waiting for that process to produce the full set of adequately protective standards that we need,” Mr. Bingaman said.
The Energy Policy Act gave ultimate responsibility for cybersecurity standards for the power grid to the Federal Energy Regulatory Commission — a long-established federal regulator.
But in response to concerns from the power industry about the burden of new regulations, Congress also told the agency to work through a private industry partnership group, the North American Electricity Reliability Council.
The federal agency and the private council have been sparring over standards ever since, Mr. Bingaman said.
The first set of standards the industry group proposed in 2006 were not approved by the regulator and had to be revised several times. The fourth version finally was approved in April, with the proviso that the private council get the industry to fix the remaining problems by March 2013.
Part of the reason it has taken so long, security specialists say, is that the federal commission does not have the authority to dictate standards to industry.
The commission’s “current authority is not adequate to address cyber or other national security threats to the reliability of our transmission and power system,” said Joseph McClelland, director of the regulatory commission’s Office of Electric Reliability.
Moreover, there is no system for overseeing industry compliance with the standards, Gregory C. Wilshusen, director of information and technology issues at the Government Accountability Office, noted in his testimony.
However, as Mr. Bingaman noted, the power industry is the only sector of the United States’ critical infrastructure to have mandatory cybersecurity standards at all. There are no similar federal requirements for water or transportation systems, for instance.