According to top officials at the U.S. Department of Energy, our nation’s energy infrastructure is “a primary target for hostile cyber actors,” and the “frequency, scale, and sophistication of cyber threats” are on the rise. In response to these growing concerns, the U.S. Senate Committee on Energy & Natural Resources held a hearing on February 14, 2019, to consider ongoing efforts within the energy industry to promote cybersecurity and prevent digital attacks against critical infrastructure. The hearing featured testimony from prominent individuals on the frontlines of protecting energy infrastructure in the United States, including Neil Chatterjee, Chairman of the Federal Energy Regulatory Commission (FERC); Karen Evans, the Assistant Secretary for Cybersecurity, Energy Security, and Emergency Response at the Department of Energy; and James Robb, President and Chief Executive Officer of the North American Electric Reliability Corporation.
The hearing focused on determining what efforts are required to incentivize the research and development necessary to keep ahead of growing cybersecurity threats. In particular Senator Lisa Murkowski (R-AK), Chairwoman of the Energy & Natural Resources Committee, sought information about the policy options currently under consideration to facilitate innovation in the cybersecurity space. On this issue, FERC Chairman Chatterjee stressed the importance of mandatory reliability standards in helping to bring about innovation. These standards, known as the Cybersecurity Infrastructure Protection Standards, were authorized under the Federal Power Act and are enforced by the National American Electric Reliability Corporation. In addition to mandatory standards, Chairman Chatterjee testified that focusing on voluntary best practices and improving inter-agency coordination are critical to address quickly evolving threats. According to Chairman Chatterjee, the information sharing efforts of entities like the Electricity Subsector Coordinating Council have been effective thus far; however, FERC will be hosting a joint technical conference on March 28, 2019, with the Department of Energy, state, and industry officials to make sure incentives exist to attract new research and development for countering cyber threats.
While hearing participants acknowledged the need for better coordination among government agencies and the need for more robust oversight of certain sections of the energy industry (e.g., natural gas pipelines), Senator Angus King (I-ME) pleaded with the members of the witness panel to act more swiftly in addressing cybersecurity vulnerabilities. According to King, “this is not a threat; this is happening now. We are under attack.” In particular, Senator King pressed James Robb for answers about whether foreign adversaries have already infiltrated our electric grid. He also questioned Mr. Robb about whether any American utility company’s software systems included technology from ZTE, Huawei, or Kaspersky. Mr. Robb did not know whether such software was utilized by American utilities. In addition, Senator King advocated for mandatory cybersecurity standards for gas pipelines. In response, Chairman Chatterjee stated that the industry has taken steps toward adopting voluntary standards and that he would continue working with them in good faith towards the goal of decreasing cyber vulnerabilities.
The hearing concluded with a discussion about the need for a forward-looking plan that would deter adversaries from attacking our energy infrastructure in the first place. Specifically, the committee sought to determine appropriate methods for how the United States should responded to cyberattacks and attempted attacks. Senator Murkowski illuminated this point by stating that the United States should make it “quite clear from a proactive perspective that there are consequences” for cyber-intrusions.