New cybersecurity standards proposed by the North American Electric Reliability Corp. (NERC) to protect the nation’s power infrastructure are not broad enough and fail to cover a significant number of interdependent assets.
The standards also give electric utility owners, operators and users too much discretion when it comes to implementing the prescribed controls, a group of experts told members of the House Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology on Wednesday.
James Langevin (D-R.I.), chairman of the committee, said the NERC’s proposed standards require stakeholders in the power grid to establish plans, protocols and controls for safeguarding physical and electronic access to the control systems that manage the national’s electric infrastructure.
The problem is the standards are focused purely on the reliability of “bulk power systems” and don’t require electric sector owners and operators to secure their generation systems, distribution systems or telecommunication equipment, he said in prepared testimony.
“We know from countless real-world examples that these units are highly vulnerable to intentional and unintentional cyber events,” Langevin said. “Knocking any of these units off could affect the power supply to our nation’s critical infrastructure,” he noted in his statement.
The narrow focus of NERC’s proposed cybersecurity standards is especially troubling, Langevin said, in light of a recent simulated attack against a power utility control system that was carried out by Department of Homeland Security researchers at the Idaho National Laboratories. The same methods that were used in that experiment could be used to carry put attacks against larger generators and other equipment and cause “widespread and long-term damage to the electric infrastructure,” he warned.