Grid Oversight Group Faulted for Poor Cybersecurity Guidance

Critical infrastructure assets are worth $1 trillion in the U.S. and Canada, and if the Bush administration doesn’t make their security a priority, “the future isn’t going to be pretty,” Langevin said. With more and more control systems connected to corporate intranets and the larger Internet, “we will not accidentally stumble upon a solution” to security risks, he said.

The committee recently filed comments with the North American Electric Reliability Corporation, a self-regulatory body subject to audit by the Federal Energy Regulatory Commission (FERC) and Canadian authorities, in a rulemaking on grid security, Langevin said. Lawmakers criticized proposed NERC security standards for infrastructure owners, saying they don’t seek to ensure power delivery after a cyber incident and don’t cover power generation and telecom equipment. National Institute of Standards and Technology standards are much stronger, he said. The committee sent a letter Wednesday to NERC asking for an investigation of how many private owners have followed through on the body’s standards.

Lawmakers were alerted to the state of grid cybersecurity by a declassified video, played at the hearing, showing a government-sanctioned successful cyberattack on a mock control system code-named Aurora. Traditional cybersecurity methods are hard to use on control systems because they require smooth and continuous operation, McCaul said. The 2003 East Coast blackout, started when a tree hit a power line, was aggravated by a software bug that “rippled across the East Coast,” he said. DHS should consolidate multiple agency and private sector initiatives to reduce overlaps and fill gaps, McCaul said.

Full Committee Chairman Bennie Thompson, D-Miss., faulted several vacancies in DHS for the agency’s cyberwoes. Empty slots include those for the director, the deputy director of outreach and the director of control systems security at the National Cyber Security Division, all vacated in recent months. “Of course this is nothing new for DHS or the cyber division,” whose positions have seen regular churn since DHS’s creation. Garcia must give an update on DHS hiring efforts, Thompson said. “How is the department supposed to develop long-term relationships… when there is a different DHS face in every meeting?” Committee leaders “haven’t heard a peep” from DHS since learning from a Baltimore Sun article about a joint DHS-NSA effort to monitor key infrastructure networks that seems to have locked out private sector partners, he said. “I'm glad to see you're still on the job,” Langevin joked to Garcia, who holds a post that was vacant for a year after it was created.

Don’t forget that DHS itself found the Aurora vulnerability, “and we're proud of these efforts” to coordinate vendors, owners and operators, and agencies, Garcia said. With Department of Energy labs, DHS created a self-assessment form that an industry organization has offered to 30,000 members worldwide. DHS has created master’s programs in control system security used by 100 instructors and will release a broad national cybersecurity strategy the first quarter of 2009, Garcia said.

Control-system compromises aren’t academic, said Greg Wilshusen, Government Accountability Office director of information security issues. An attack on a sewage plant in Australia using a radio transmitter released a flood of raw sewage; a foreign hacker penetrated a Pennsylvania water treatment plant; and an apparent device failure at an Alabama nuclear plant produced excessive network traffic and a plant shutdown, he said. DHS needs an “overarching strategy” for information security and faster sharing of information with control-systems operators, as recommended by a larger GAO report on DHS information security released today, Wilshusen said. (See separate report in this issue.)

Tim Roxey, the Aurora mitigation team leader for the private sector, said the nuclear mitigation plans were developed with DHS and the Idaho National Laboratory, which unearthed Aurora, in three months. The plans were approved by sector coordinating councils last month, “a very substantial accomplishment,” he said. Success depends on including technical experts in all coordination meetings and having a single point of contact with all participants to reduce duplication, Roxey said.

Garcia couldn’t answer Langevin’s question about how many plant owners have implemented the NERC recommendations. “You must be much more proactive” to ensure mitigation plans are put in place, Langevin said. “Absolutely,” Garcia said, but pointed to FERC as its agent. Wilshusen agreed that the committee’s comments to FERC were on point. The standards don’t seem to consider the interdependence of infrastructure, and may not apply to assets with a “significant localized impact” on critical infrastructure supported by the bulk power system, he said. Garcia said the higher NIST standards “ought to be heavily considered” in strengthening the NERC standards, which are voluntary, but declined to evaluate the committee’s comments to FERC. “This is something we're going to have to take a harder look at,” Langevin said, perhaps through legislation.

McCaul gave a more positive assessment of the agency and private efforts. “I also believe that credit is due,” considering the committee was briefed on Aurora long before it went public, he said. The U.S. is not “behind the curve… This is actually a good news story.” The subcommittee hearing is the “first step to get people to sit up and pay attention,” Garcia said. Early work with the nuclear and electric sectors set a baseline for ongoing efforts with chemical, oil and gas, dams and water sectors, he said. Sectors must understand that the increasing use of the Internet in control systems poses risks never before faced, Wilshusen said.

Rep. Bill Pascrell, D-N.J., asked how many program managers overseeing control system security had departed DHS in the past three years. Garcia wasn’t sure but said their last manager stayed more than a year, and the agency is “aggressively” looking to fill the slot. The $12 million spent for control system cybersecurity doesn’t tell the full picture, since resources across NCSD are being used in the effort, he said. Wilshusen couldn’t answer Pascrell’s question about how much more the energy sector would have to spend on cybersecurity to comply with the NIST standards. NERC standards cost the industry $400 million. But Wilshusen said that NIST standards aren’t appropriate for some control systems, such as password controls that may hinder an immediate response to an incident.

The GAO report on DHS information security “makes me very anxious,” Lofgren said, noting her legislation created Garcia’s post. DHS has shown a lot of progress across all sectors, Garcia said. Lofgren interrupted, asking if GAO criticisms were well-grounded. Garcia said FERC could better answer that, calling his division a “coordinator.” Lofgren didn’t like that. “If I may, I don’t believe that’s the case, and I certainly don’t believe that’s what we intended in Congress” in creating the top cybersecurity slot at DHS. “Absent regulatory authority,” the NCSD can’t do more than draft plans and work with agencies that have additional authority, Garcia said. Lofgren asked Garcia to follow up on specific issues raised by GAO Wednesday and recommend what help Congress can give. “I'm not at all satisfied that enough is being done here,” especially when the government has “actionable intelligence” on control-system vulnerabilities, Langevin said.

Joseph McClelland, FERC director of the office of electric reliability, backed up NERC on a second panel. FERC can require NERC to incorporate NIST standards only if its own are judged inadequate, he said. “The process is not nimble and can take years” to approve new standards. FERC is low on money for its work anyway, he added.

The law limits what NERC can require, as opposed to what it can recommend, Executive Vice President David Whiteley said. “Local distribution facilities” were excluded from the regulatory definition of “bulk power,” he said, answering Wilshusen’s earlier criticism. NERC reviewed NIST standards and decided they couldn’t substitute for standards developed explicitly for bulk-power systems. NIST standards haven’t even been finished, and Canadian approval is required because of NERC’s structure, Whiteley said. He said about 75 percent of the transmission grid is carrying out NERC’s guidance.