Electric power is not only America’s economic lifeblood, but an essential element of our nation’s security. Businesses, chemical plants, banks, refineries, hospitals, water systems, grocery stores and military facilities all rely on electricity to operate. Our electric grid, in turn, increasingly relies on computer-based operating systems. Herein lies a unique homeland security challenge — how to protect the electric grid from failing, as a result of either intentional or unintentional events.
[IMGCAP(1)]Today’s electric grid is very similar to the system that existed in the early part of the 20th century, with one critical difference: Computers are in charge. Our grid is highly dependent on computer-based systems. These systems are used to monitor and control sensitive processes and physical functions. When they were originally created, they were closed to the outside. To increase efficiency and save money, operators began connecting these systems to corporate networks and the Internet. Unfortunately, these connections also expose these critical systems to potential attacks online. Specifically, our reliance on electric power and the vulnerability of our interconnected system makes the electric grid a prime target for an adversary who seeks to cause catastrophic harm to our country. In fact, there is some evidence, according to a recently released publication, that cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system. These malicious programs could do anything from briefly interrupting power delivery to destroying our nation’s large electric generating units.
My committee has long been concerned about security vulnerabilities in our electric system. In 2007, when we learned that the electric industry was aware of a dangerous cyber vulnerability known as “Aurora— but that some companies were not acting quickly to mitigate it, we launched an investigation and held two hearings to understand what was being done. The committee’s findings were disturbing. Most in the electric industry failed to complete the recommended mitigations, despite being advised to do so by federal authorities. This effectively left many utilities vulnerable. Furthermore, we learned that many utilities are underreporting their critical cyber assets, possibly in an effort to avoid compliance requirements of existing mandatory cybersecurity standards.
To address this vulnerability, I introduced legislation last spring — H.R. 2195, a bill that has garnered broad bipartisan support. This legislation would provide federal regulators with the authority to not only improve existing mandatory standards but also issue emergency orders in time of imminent attack. The Department of Homeland Security has an important role to play in keeping the electric grid secure. By performing cybersecurity vulnerability and threat assessments to our nation’s critical electric infrastructure on an ongoing basis and providing mitigation recommendations, the department can set the stage for a much-needed early warning and mitigation capability that could help protect this infrastructure from cyberattacks that can be perpetrated in milliseconds.
In recent months, we have begun working closely with stakeholders on the House Energy and Commerce Committee to try and reach consensus on this critical issue of national security. There is broad acknowledgment that the status quo is not acceptable. We must act to ensure that as we work to make the electric grid more efficient and “smart,— we also address known security vulnerabilities. Failure to act carries significant risk because we all know that the exploitation of these known vulnerabilities could have significant foreseeable national and economic security implications.
Rep. Bennie Thompson (D-Miss.) is chairman of the Homeland Security Committee.