Senate Energy and Resources Hearing on Cyber Security of the Electric Grid

May 7, 2009
This morning, the Senate Energy and Resources held hearings on Cyber Security of the Electric Grid. The witnesses were Joe McClelland from FERC, Rick Sergal from NERC, Patricia Hoffman from DOE, Allen Mosher from APPA, and David Owens from EEI. The hearing was on the draft language in the revision to the energy bill, specifically focused on oversite and scope. The hearing can be found at http://energy.senate.gov/public/index.cfm?Fuseaction=Hearings.LiveStream&Hearing_id=f846c4d4-f573-db68-4821-4be9a19886ff

My observations were the following:
"
This morning, the Senate Energy and Resources held hearings on Cyber Security of the Electric Grid. The witnesses were Joe McClelland from FERC, Rick Sergal from NERC, Patricia Hoffman from DOE, Allen Mosher from APPA, and David Owens from EEI. The hearing was on the draft language in the revision to the energy bill, specifically focused on oversite and scope. The hearing can be found at http://energy.senate.gov/public/index.cfm?Fuseaction=Hearings.LiveStream&Hearing_id=f846c4d4-f573-db68-4821-4be9a19886ff My observations were the following: -    There is a concern with both the Senate and the industry witnesses on having both FERC and DOE in the loop to determine when an emergency should be declared.  To me, this is a valid issue that needs to be resolved. -    There was a concern on how to expeditiously get the message out to all affected entities.  One of the issues was the sensitivity of the information going to people without security clearances. Joe McClelland even mentioned the utilities were “out in the wild” meaning not knowing the threats and vulnerabilities. There has to be a better way to expeditiously get appropriate information to people that need it whether they have clearances or not. -    There were questions concerning testing of Smart Grid devices – who should do it and under what auspices. My concern is the Smart Grid is just another example of control system environments – they are systems of systems. Testing individual devices is important. However, it is an individual test, not a system test. Many control system cyber incidents occurred because of system interactions which testing of individual devices will not address. -    There was significant disagreement about scope. The current definition of “Bulk Power System” under FPA 215 does not include distribution and non-interconnected locations. That means Alaska, Hawaii, and Guam are excluded as well as New York City which has high voltage networks (138KV). FERC raised the issue that if the Committee intended to cover these areas with the new proposed authority, it should not use the current definition of “Bulk Power System” under Section 215.  The current draft includes distribution and would therefore cover much of the Smart Grid equipment which is distribution-centric. NERC, APPA, and EEI (effectively the voice of the utilities) feel that scope is too broad. The redrafted bill is to be available Wednesday. Joe Weiss