Testimony for 2023 Senate Energy Committee hearing on cyber security of the grid

I provided my blog, “NERC Cyber Security Incident Reporting Is Obscuring the Truth” to the Senate Energy Committee staff prior to the March 23 Senate Energy Committee hearing on cyber security of the grid. The hearing included the need for accurate industry incident sharing with the intelligence community through the Energy Threat Analysis Center (ETAC). It is not clear how viable the ETAC will be based on the lack of accurate control system cyber incident disclosures identified above. The control system cyber incident information sharing issues are not limited to the electric industry. Industry cyber security programs, the National Cybersecurity Strategy for Critical Infrastructure, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), and government cyber security requirements assume that control system cyber incidents can be accurately identified in a timely manner. An example of the inaccuracy of control system cyber security incident reporting is the 2021 Oldsmar, Florida wastewater treatment facility “cyberattack.” Despite the wide- spread claims of a cyberattack, the facility incident was user error.

As a result of these issues, I was encouraged by Senate Energy Committee staff to provide a version of my blog for the hearing record. My testimony will be available by mid-April at the Congress.gov website.