The U.S. government should accelerate the declassification of industry-relevant information regarding cybersecurity threats, Jim Robb, president and CEO of the North American Electric Reliability Corporation (NERC), told a House committee on Friday.
Robb also suggested broadening the availability of security clearances for the energy sector, adding that these measures would get the information into "actionable insight" and increase the industry's awareness of risk factors.
The House Energy and Commerce subcommittee on energy discussed several bipartisan cybersecurity-related bills, without directly addressing utility industry access to security clearances. Rep. Jerry McNerney, D-Calif., introduced H.R. 359 to establish public-private cybersecurity partnerships. Last year, he addressed interest in increasing utility access to sensitive information.
While there has been no loss of load in North America that can be attributed to a cyberattack, the threat of an attack is at an all-time high, according to NERC.
To protect the country's power grid from a coordinated attack by foreign adversaries, NERC works closely with the U.S. Department of Energy (DOE), Department of Homeland Security, Federal Energy Regulatory Commission (FERC) and the Electricity Subsector Coordinating Council to further public-private partnerships aimed at addressing potential grid vulnerabilities, Robb said in his written testimony before the House Energy and Commerce subcommittee on energy.
He told the committee members that Congress can support those efforts through accelerated information sharing.
"Industry doesn't need to know the origin [of the threat]; we don't need to know the sources; we just need to know the 'what-s.' Unfortunately, the 'what-s' and the 'who-s' are intricately tied up, and so that kind of clogs the machinery up," Robb said.
While it is unclear how long it takes for information to become declassified, the Department of Energy's new Office of Cybersecurity, Energy Security and Emergency Response is working as fast as possible to provide the industry with declassified information, Karen Evans, assistant secretary of the year-old program, told House members on Friday.
"We really want to give them information that's actionable," she said in her testimony.
Another issue raised during the hearing was supply chain vulnerabilities. The electric reliability organization is addressing this through several different approaches, and Robb advocated for a supplier certification program.
"We think a supplier certification program is a very smart thing to do," Robb said. "The work the DOE is doing in this area is terrific. There are also some voluntary industry groups coming together that try to create a similar program."
"I think a [certification program] can be effective" in reducing vulnerabilities, Tyson Solcum, director of Public Citizen's Energy Program, told Utility Dive. "Having third-party verification is okay as long as these third-party entities themselves are subject to clear and direct oversight by FERC and NERC."
NERC this week will issue a Level 2 alert with regards to foreign-made equipment suppliers, including Chinese suppliers Huawei and ZTE. U.S. authorities are accusing both companies of conducting espionage for the Chinese government.
As part of the Level 2 alert, utilities will be required to take inventory of their potentially compromised equipment and submit a mitigation plan to NERC, Robb explained.
Congressional lawmakers also expressed concerns over the industry's often criticized structure of cyberattack self-reporting.
"I'm concerned about some of the more volunteering reporting structure," Rep Tom O'Halleran, D-Ariz., said.
For Solcum, who testified on an overhaul of the system, self-reporting is not effective.
"If we're going to take cybersecurity seriously, we need to be serious about the way that NERC oversees the industry," he said. "And that means more affirmative use of audits and less reliance on self-reporting to handle enforcement and compliance matters."