The growing threat of cyberattacks is prompting a group of senators to try to quickly close holes in the systems that protect the energy grid, including one decidedly low-tech approach.
The Securing Energy Infrastructure Act, introduced last month, is an attempt by Sens. Angus King of Maine, Jim Risch of Idaho and three other co-sponsors to make sure the grid's cybersecurity system has low-tech protections instead of automated systems that can be attacked.
The main motivation for the bill is the December 2015 attack on Ukraine's electrical grid that left hundreds of thousands in the dark for up to six hours. That moment was a turning point for King, who said it demonstrated the need for the United States to move immediately on protecting its critical infrastructure.
"We have been too slow to take meaningful action to protect ourselves from similar attacks," the Maine Independent said. "It's vital that we act now to bolster the grid's cyberdefenses, or we risk a potentially catastrophic attack."
The Department of Energy added to the sense of urgency last month when it described hackers as "growing in sophistication" and said cyberattacks in the future will be aimed at more conventional targets such as electric substations that deliver electricity to customers.
In its Quadrennial Energy Review, department officials said hackers are looking to disrupt the institutions that people depend on every day.
It's possible for them to lurk in the shadows of the cybersecurity protections for critical infrastructure, learn how they work and then attack them to disrupt the flow of everyday life, the report said.
"One of the hackers' strongest capabilities was their performance of the long-term reconnaissance operations required to learn the environment and execute a highly synchronized, multi-stage, multi-site attack," it read. "These highly targeted, long-term campaigns, called advanced persistent threats, are generally designed to satisfy the requirements of international espionage and/or sabotage."
One of the biggest provisions in King and Risch's bill is to replace automated systems with human operators controlling procedures manually. That would kill the ability of hackers to shut down the electricity grid because they would need physical access to the controls to access the grid.
It's a plan that would have helped stop a test attack on replica communications, power and cybersecurity systems for an electric utility's distribution system, the system that sends power from substations to customers.
Hackers hired by the government last spring to test security systems and expose weaknesses were able to find one unsecured device and bring down the entire electrical system set up for the test.
However, the plan does not deal with physical attacks on the grid, such as a 2013 sniper attack on a California substation. The 20-minute attack took down 17 transformers, caused $15 million in damage and almost cut off power to Silicon Valley.
The senators, who include Sens. Martin Heinrich, D-N.M., Susan Collins, R-Maine, and Mike Crapo, R-Idaho, could have a major ally in President Trump.
Trump told a group at a cybersecurity meeting at the White House last week that he wants to see protections for the electrical grid and power plants soon. He was scheduled to sign an executive order improving the nation's cybersecurity defense last week, but postponed signing it.
"We will protect our critical infrastructure such as power plants and electrical grids," he said. "The electrical grid is a problem, but we'll have it solved relatively soon."
The bill would establish a two-year pilot program in the Energy Department's National Laboratories to find new security vulnerabilities, research and test technology to isolate critical systems from cyberattacks, establish a working group to evaluate those technological solutions and come up with a national strategy to protect the energy grid. The Energy Department would have to report its findings to Congress.
"The continued threats against our critical energy infrastructure systems in the United States require investments that will help enable our nation to achieve a sustainable advantage in critical infrastructure and control systems security," Risch said.
Scott Aaronson, executive director of security and business continuity at Edison Electric Institute, told Congress last week that the private sector isn't waiting for the government. The institute is the association that represents all American investor-owned electric companies.
The institute helps utilities coordinate with each other and the government on potential cyberthreats. It has come up with standards each company must abide by or face fines of $1 million per day, Aaronson told lawmakers on the House Energy and Commerce Committee.
"These are not lax, lowest-common-denominator standards," he said. "These are rigorous requirements that improve the industry's security standards."
With the strict standards, the industry is working closely at the executive level to understand threats to their systems. That doesn't just include electric companies, Aaronson said. It also includes transportation infrastructure that provides fuel to power plants, water infrastructure to cool power generation systems and communications networks.
A mutual assistance program is also in place for other companies to be able to help one that faces a cyberattack. The companies conduct exercises regularly to practice how that would work, which Aaronson said builds off the electric sector's culture of cooperation built in times of natural disasters.
"Preparing for incidents just makes sense," he said.
