A House subcommittee hearing Thursday examined state and local government preparedness in case of cyberattack on the U.S. electrical grid.
Rep. Lou Barletta (R-Penn.), chairman of the House Transportation and Infrastructure Committee called on subcommittee members to envision a scenario that has recently gained greater attention among lawmakers. “What consequences should the federal government tell states and local governments to prepare for?” he asked, during introductory comments. “In other words, for how many people and how long should states plan on being without power?”
For dramatic effect, Barletta brandished a copy of Ted Koppel's book Lights Out as he enjoined the Economic Development, Public Buildings, and Emergency Management subcommittee to consider Koppel's warning that the U.S. should plan for a cyberattack an electrical outage of 6 to 18 months. “It is crucial that we understand the risks,” said Barletta.
Although the potential of a direct cyberattack against the U.S. electrical grid is viewed by most industry pros as an unlikely scenario – certainly less likely than the urgent cyber challenges that already overwhelm federal and state agencies – the legislators expressed concern about the dangers of a potential attack.
For example, a report published last month by the Office of Management and Budget (OMB) found that government networks were successfully infiltrated in 77,000 cyber incidents during fiscal year (FY) 2015. In addition, agencies struggle to implement basic information security practices.
A cyberattack against Ukraine's electric grid by Russian hacker in December 2015 inspired some of the recent interest in the electric grid. Chairman Barletta mentioned these attacks, noting that the attacks against the Ukraine “affected four dozen substations and left a quarter million people without power.”
In response to the attacks, the Ukrainian government released a draft cybersecurity strategy to strengthen the country's critical IT and social infrastructure.
The FBI and Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) also issued a response, announcing that the agencies were launching a series of unclassified threat briefings and webinars to inform “asset owners and supporting personnel” at ICS-CERT. The sessions discuss the techniques used by the Russian hackers, the notice stated.
During the hearing, Craig Fugate, administrator of DHS's Federal Emergency Management Agency (FEMA), said the agency is working with the Department of Energy to develop a federal plan which would respond to “a mass or long-term power outage regardless of cause.” The operations plan would address serious national safety threats, including “a significant disruption to our nation's energy grid–whether caused by a natural disaster, cyber or manmade event,” he said.