Cyber Security Demands Co-op InputBy Cathy Cash | ECT Staff Writer Published: May 24th, 2013
Protecting the nation’s electrical grid from cyber attacks is best served by a deliberate, yet timely process that involves all stakeholders, Duane Highley, president and CEO of Arkansas Electric Cooperative Corp. and Arkansas Electric Cooperatives, Inc., told Congress May 21.
Testifying on behalf of NRECA before the House Energy and Commerce Committee, Highley also said that the utility sector already addresses a large number of cyber security issues through current mandates under the North American Electric Reliability Corp.
The committee called the hearing to discuss President Obama’s Feb. 12 executive order on “Improving Critical Infrastructure Cybersecurity” that directs the National Institute of Standards and Technology to develop a framework for flexible, performance-based standards to reduce cyber risks through industry best practices and voluntary measures.
NRECA is engaged in discussions on cyber regulation with NIST, NERC and the Federal Energy Regulatory Commission. To ensure grid reliability, the commission has the authority to order NERC to develop mandatory enforceable standards, including those to address cyber security. “We want to see that work through a deliberate process that involves all the stakeholders. That is why we support the NERC process,” Highley said.
That process came under criticism by the committee’s top Democrat, Henry Waxman of California, and witness James Woolsey, the former CIA director, who favors federal legislation to authorize FERC to take more control over cyber security regulation for the power sector.
“We’re taking actions to improve the speed at which [regulation] can move,” Highley said in reply to Woolsey’s statements, noting that the recent FERC order for geomagnetic disturbances is seeking action within six months.
Cyber security attacks on utilities to date, “while large in number, are the same attacks that every business receives to their Internet portal,” Highley said. “They are all stopped at the gate. The supervisory control and data acquisition systems have mandatory enforceable standards for how you interface to those. We don’t have significant problem with attacks to those today.”
Highley, in his prepared testimony, also underscored the need for dialogue between utility CEOs and the federal government.
“Information sharing must be a critical component of the executive order conversations and eventual framework,” he said. “Much of the information needed to fully understand the nature of the cyber threats faced by our industry is classified at a level that is unavailable to our organizations.”
Patrick Gallagher, NIST director and undersecretary of Commerce for standards and technology, updated the committee on the framework process and emphasized the importance of an industry-led effort with “strong voluntary programs.”
Following workshops and “deep-dive engagements” with stakeholders, a draft framework will be ready in September, he said. He complimented the utility sector as high-performing and a model for the framework.
“Good cyber security is good business,” said Gallagher. “The goal at the end of our process is for industry to take and update the framework for cyber security itself.”