Lawmakers call for red team testing of legacy electric grids
- By Mark Rockwell
- Aug 06, 2020
The nation’s energy grid should be tested for cyber vulnerabilities, lawmakers say, especially in light of the new challenges posed by the COVID-19 outbreak and reports of foreign adversaries targeting the nation’s critical infrastructure.
“We all know the stakes here,” Senate Energy and Natural Resources Committee Chairwoman Lisa Murkowski (R-Alaska) said in her opening statement at an Aug. 5 hearing. “A successful hack could shut down power -- impacting hospitals, banks, gas pumps, military installations, and cell phone service. The consequences would be widespread and devastating, and only more so if we are in the midst of a global pandemic.”
"No one's testing," ranking member Sen. Joe Manchin (D-W.Va.) said. "Legacy grid systems were not designed to defend themselves against modern cyberattacks and, as they grow more and more connected to the internet, our electric systems grow more and more vulnerable."
Alexander Gates, a senior policy advisor at the Energy Department's Cybersecurity, Energy Security and Emergency Response agency, said the government's authority to test the security of private utilities "has limitations."
Thomas O'Brien, senior vice president and CIO of energy transport provider PJM Interconnection, which moves electricity around 13 states, agreed. He told the committee that his organization performs "extensive" red teaming and penetration testing of its own networks. However, he said, PJM does not conduct “red teaming and penetration testing on our member company’s systems, where data flows into us.” The company does not consider such testing “in our jurisdiction based on how we operate,” he said.
Manchin said he would follow up to ensure there are adequate opportunities for security testing throughout the system.
Joseph McClelland, director of the Office of Energy Infrastructure Security at the Federal Energy Regulatory Commission (FERC), described the recent Cyber Yankee exercise, in which government agencies, utilities and National Guard units in six New England states tested their skills against a red team cyberattack on utility system networks. “Exercises such as this are critical to maintaining readiness and ensuring our ability to respond to cybersecurity events,” McClelland said.
"Red team, hackers for hire -- we need more of it," said Sen. Angus King (I-Maine), adding that the Energy Department or FERC, or both, should have the authorities to perform such tests on networks.
King is also concerned with natural gas pipeline security. Those pipelines, he said, are a crucial part of the energy infrastructure. They are regulated by the Transportation Security Administration, but that agency, as has been documented in oversight reports, does not devote extensive resources to that activity. King suggested that TSA's current authority over pipelines might be better exercised by FERC.
"We need a hearing on natural gas pipeline security," said King. "I'm concerned we don't have the same level of standards and testing as we do for the electrical grid."
This article was first posted to FCW, a sibling site to GCN.
Mark Rockwell is the senior editor for custom content with Public Sector 360. Prior to that, he was a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.
Click here for previous articles by Rockwell.
Contact him at [email protected] or follow him on Twitter at @MRockwell4.