Subcommittees Discuss Electric Power Grid Cybersecurity
(Washington, DC) – Today, the House Committee on Science, Space, and Technology’s Subcommittees on Energy and Research and Technology held a hearing to examine efforts by federal agencies, industry and the Department of Energy national labs to mitigate cybersecurity threats to U.S. power systems, and to specifically explore solutions to mitigate threats that were identified in the joint Energy and Oversight Subcommittee hearing entitled Examining Vulnerabilities of America’s Power Supply held earlier this year.
Congresswoman Suzanne Bonamici (D-OR) said, “We are all familiar with the increasing frequency of cyber attacks that compromise personal and business information. What we are focusing on today, however, is a different kind of cyber security. It’s about securing the electric grid so a cyber attack doesn't affect grid operations, which could halt our daily lives and threaten our economic security. These attacks often gain entry through an information technology system, but, instead of taking corporate data they directly target system operations that can cause havoc and chaos.”
In her statement for the record, Ranking Member Eddie Bernice Johnson (D-TX) described some of the issues we face transitioning to new grid technologies. She said, “If an entire system is interconnected and can respond more quickly to problems, as smart grids aim to do, then it also has the potential to be more quickly taken down by a malicious actor. As we will hear from our witnesses today, another basic challenge arises when combining information technology, or IT, with operational systems. IT cybersecurity solutions and safeguards cannot be used in operational technology without modification, and we must be mindful of this when planning for the future. While this is not a new challenge, it is certainly a difficult one.
She continued, “However, none of these challenges should delay progress in creating a more efficient and reliable electric grid. We need to invest in cybersecurity research. We must foster productive relationships between the federal government, utilities, operators, vendors, and state and local governments. And we must ensure that any advancements in our power supply properly prioritize cybersecurity at every step.”
Ms. Annabelle Lee, Senior Technical Executive in the Power Delivery and Utilization Sector at the Electric Power Research Institute (EPRI), described some of these changes in her testimony. She said, “The nation’s power system consists of both legacy and next generation technologies. New grid technologies are introducing millions of novel, intelligent components to the electric grid that communicate in much more advanced ways than in the past. These new components will operate in conjunction with legacy equipment that may be several decades old, and provide no cyber security controls. Traditional information technology (IT) devices typically have a life span of three to five years. In contrast, operational technology (OT) devices have a life span of up to 40 years or longer. With the constantly changing IT and threat environments, addressing potential cyber security events is a challenge. Another change is the convergence of IT and OT. Historically IT has included computer systems, applications, communications technology and software to store, retrieve, transmit and process data, typically for a business or enterprise. OT has historically focused on physical equipment-oriented technology that is commonly used to operate the energy sector.”
Congresswoman Bonamici emphasized the importance of the human factor in cybersecurity. She said, “From understanding how people swipe their phones, to the patterns they use when typing on a keyboard or walking, a better understanding of behavioral biometrics is opening the door to developing more cyber-secure components and processes. The more we understand about human and social behavior, the stronger our toolbox. Rather than resting the success of our cybersecurity efforts on programs that require changes in human behavior, we might have better success if we change our technology and processes to fit the behavior of people. And the more we understand the behavior of threat actors, the better we can design protections. So in addition to building a better technology-based firewall, we need to invest in developing a better human firewall. Our weakest link and our most resilient asset to meet the dynamic changing needs of the cyber arms race is us.”
Related Content
Next Article Previous Article