The federal government should have the authority to simulate cyberattacks on the electric grid to lessen the nation’s vulnerability—especially during the COVID-19 pandemic, according to testimony at a Senate committee hearing on Aug. 5.
The threat of cyberattacks by foreign adversaries and other sophisticated entities is real and it’s growing, Lisa Murkowski (R-Alaska), chair of the Senate Energy and Natural Resources Committee, said at the committee’s hearing.
Murkowski cited last year’s Worldwide Threat Assessment from the Office of the Director of National Intelligence, which found that China, Russia and other foreign adversaries are stepping up cyber operations to target the United States’ military and critical infrastructure, including the nation’s electric grid. In January, the Energy Department alleged that a Russian government-backed hacking group probed a U.S. energy entity’s network.
“The COVID-19 pandemic has created a unique opportunity for cyber criminals to attack our networks, including critical energy infrastructure,” Murkowski said.
“We all know the stakes here. A successful hack could shut down power, impacting hospitals, banks, gas pumps, military installations, and cell phone service. The consequences would be widespread and devastating, and only more so if we are in the midst of a global pandemic.”
One way to increase protection of the nation’s electric grid is to conduct more simulated “red team” cyberattacks, said Joseph McClelland, director of the Office of Energy Infrastructure Security (OEIS) at the Federal Energy Regulatory Commission (FERC).
These types of simulations, sometimes called red-teaming, utilize hackers (the red team) to test the organizations’ cybersecurity and threat response to provide an outside perspective.
In July, the OEIS assisted the National Guard units and participating utilities in New England states to conduct Cyber Yankee, a simulated cyber-attack on utility system networks, McClelland said at the committee hearing.
“This exercise helped the utilities and National Guard units to prepare for these threats including practicing government assistance to the utilities as part of the defense and recovery efforts,” McClelland said. “Exercises such as this are critical to maintaining readiness and ensuring our ability to respond to cybersecurity events.”
Alexander Gates, senior advisor at the DOE’s Office of Cybersecurity, Energy Security, & Emergency Response (CESER), told committee members that he was unsure if CESER’s current authorities allow the agency to do the red-teaming and penetration testing on federally owned assets and private networks for which the agency is responsible.
“We could do more, perhaps we should do more, I don’t know if it gets to the level of pentesting or red-teaming,” Gates said. “There are people on my staff who would love to take that on. But again, right now in the role with the responsibilities and authorities [CESER] have, and partnerships it is advisory service that we’re providing at this point.”
Sen. Angus King (I-Maine) said that wasn’t good enough. The DOE and FERC should have authorities to conduct such testing on the networks they oversee.
“If you need additional authorities, I hope you will take for the record a question to let us know what additional authorities you need,” King said at the committee hearing. “I don’t see how you can carry out a mission of protecting the grid without testing the grid’s vulnerability.”