The U.S. electrical grid remains vulnerable to cyberattacks that could cripple the economy, and the organization responsible for regulating electrical suppliers doesn't appear to be serious about fixing the problems, some U.S. lawmakers said Wednesday.
U.S. Rep. James Langevin and other members of the House of Representatives Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology questioned whether the North American Electric Reliability Corp. (NERC), an electric industry group tasked with ensuring electric reliability, is doing its job.
NERC officials last October painted a "misleading" and rosy picture of the U.S. electric system's readiness for cyber attacks, said Langevin, a Rhode Island Democrat and chairman of the subcommittee. But Langevin has "little confidence" that the U.S. electrical grid has fully addressed the so-called Aurora vulnerability, a cyberattack aimed at shutting down electric utilities' generators or other equipment, he said.
"I still do not get the sense that we are addressing cybersecurity with the seriousness that it deserves," Langevin added. "I think we could search far and wide and not find a more disorganized, ineffective response to an issue of national security of this import. If NERC doesn't start getting serious about national security, it may be time to find a new electric reliability organization."
The U.S. and Canadian governments have given NERC authority to ensure the reliability of the electric grid. Last October, a NERC official told Congress that utilities covering 75 percent of the U.S. power grid were taking actions to fix Aurora vulnerabilities first identified by the U.S. Department of Homeland Security in 2006.
But the U.S. Government Accountability Office (GAO) released a report on Wednesday identifying numerous cybervulnerabilities at the Tennessee Valley Authority (TVA), the nation's largest public power company. The GAO issued 92 recommendations to the TVA, which supplies power to 8.7 million U.S. residents in Tennessee and parts of six other states.
"The corporate network was interconnected with control systems networks GAO reviewed, thereby increasing the risk that security weaknesses on the corporate network could affect those control systems networks," the GAO report said.
On the TVA's control systems networks, firewalls were inadequately configured or bypassed, passwords were ineffectively implemented, and servers and workstations lacked key patches and effective virus protection, said Greg Wilshusen, director of information security issues at the GAO. "Until TVA fully implements these security program activities, it risks a disruption of its operations as the result of a cyberincident," Wilshusen said.
TVA's corporate network had some of the same vulnerabilities, including a lack of key software patches, limited security configurations, and an intrusion-detection system with "significant limitations," the report said.
The TVA had already been working to fix the problems when the GAO investigation happened, said William McCollum Jr., chief operating officer of the TVA. The power supplier has addressed several of the issues identified by the GAO, McCollum said, and the TVA would address most of the problems by the end of the year. But McCollum could not give lawmakers a definite date when all the issues would be fixed.
NERC, with help from the Federal Energy Regulatory Commission, is implementing cybersecurity requirements that come online in July, instead of the advisories it had authority to issue in the past, said Richard Sergel, NERC's president and CEO.
Sergel pledged to push cybersecurity issues with electric utilities and paint a clearer picture of problems before Congress. "The responsibility to be clear [about problems] is ours," he said.