The Massachusetts Institute of Technology’s (MIT) Energy Initiative released a comprehensive report this week, The Future of the Electric Grid, and among the recommendations is that a single agency take charge of securing the nation’s grid.
“As communications systems expand into every facet of grid control and operations, their complexity and continuous evolution will preclude perfect protection from cyberattacks,” the report says in its findings.
Mark Weatherford, now deputy undersecretary for cybersecurity at the U.S. Department of Homeland Security (DHS), noted in a column for Government Technology in April that a Forrester Research analyst, Unman Sindhu, called the “smart grid ‘the cloud computing of the utility industry.’” Weatherford added that “with the evolving nature of cybersecurity in the cloud arena, that alone should give us pause.”
MIT’s report concurs, but with refrain. "Despite alarmist rhetoric, there is no crisis here. But we do not advise complacency," the report says. A key recommendation to not sit idle: That the federal government “designate a single agency to have responsibility for working with industry and to have the appropriate regulatory authority to enhance cybersecurity preparedness, response and recovery across the electric power sector, including both bulk power and distribution systems.”
The report notes that while recent proposals by the U.S. House of Representatives and the Senate Energy Committee would designate an agency to watch over the electric grid’s cybersecurity, the Barack Obama administration “seems to have given more weight to the DHS’ broad expertise in cybersecurity and its multisector responsibility, while the Congress seems to have given more weight to [the Department of Energy] and [Federal Energy Regulatory Commission’s] specific knowledge of the electric power industry.”
“There is currently no national authority for overall grid cybersecurity preparedness. FERC and [the North American Electric Reliability Corp. (NERC)] have authority over cybersecurity standards development and compliance for the bulk power system, but there is no national regulatory oversight of cybersecurity standards compliance for the distribution system,” the report states.
“Compliance with standards does not necessarily make the grid secure,” the report posits.
A spokeswoman for NERC, Kimberly Mielcarek, said, "We would ... welcome one agency being in charge should an emergency arise — which agency that is would be up to Congress to decide and we wouldn't speculate on who it should be."
Rep. Dan Lungren (R-Calif.), who chairs the House Homeland Security's Cybersecurity, Infrastructure Protection and Security Technologies Subcommittee, is expected to introduce a bill next week that would designate the DHS as the lead agency for securing the nation’s critical infrastructure, including the electric grid.
Lungren opened a subcommittee meeting [http://homeland.house.gov/hearing/subcommittee-hearing-hearing-draft-legislative-proposal-cybersecurity] Tuesday, Dec. 6, on cybersecurity saying: “Congress needs to act to improve our cyberdefenses by designating the responsible agency in government to coordinate defense of the government networks.”
“We agree with the administration that the Department of Homeland Security is the appropriate agency to lead this effort and protect our critical information infrastructure. My bill codifies DHS’ cyber roles and responsibilities,” he said
“The cyberthreat must be addressed in partnership with the private sector, which owns most of the country’s critical infrastructure. This will require establishing ‘a true trusted partnership’ between government and the private sector,” he told the hearing on Tuesday.
Lungren does not expect that his bill will be voted on this year.
