The nation's energy infrastructure remains vulnerable to ongoing cyber attacks and the government is powerless to do anything about it, FERC Chairman Jon Wellinghoff said in Washington, DC, Wednesday.
Wellinghoff said he and Joseph McClelland, FERC's director of electricity reliability, have communicated with the Department of Homeland Security (DHS) and "any other agency that will listen to us" about the need for improved cybersecurity for energy facilities, but with no clear chain of command, the issue appears to have stalled.
"Nobody has adequate authority with respect to the both electric and gas infrastructure in this country regarding known threats and vulnerabilities," Wellinghoff said during a media breakfast at the National Press Club sponsored by IHS The Energy Daily. "If I had a cyberthreat that was revealed to me in a letter tomorrow, there's little I could do the next day to ensure that that threat was mitigated effectively by some action by the utilities that were targeted."
Wellinghoff said he would not have an effective way to confidentially communicate the information to utilities and he has no effective enforcement authority.
"I've said this for six years now, and I've also said I don't care who has the authority, but Congress should give somebody the authority. It could be me, it could be DHS, it could be DOE [the Department of Energy], it could be whoever -- it could be a cyber-czar in the White House -- I don't care who has the authority, just give it to somebody so we can do something. Because we do get reports on a periodic basis of things that are happening out there that are very concerning to me."
In July President Obama called on the Senate to pass comprehensive legislation aimed at protecting critical national infrastructure, including energy facilities, from cyber attacks (see NGI, July 23). In an opinion piece published in the Wall Street Journal, Obama said hackers had penetrated computer networks of companies that operate natural gas pipelines and "computer systems in [other] critical sectors of our economy -- including the nuclear and chemical industries -- are being increasingly targeted."
The Obama-backed bill, the Cybersecurity Act of 2012, which was proposed by Sen. Joseph Lieberman (I-CT) and four co-sponsors, was defeated in the Senate last month by a 52-46 vote.
Frustrated by the Senate's rejection of the bill, the White House has drafted a preliminary executive order that would create voluntary standards to help companies defend themselves from cyberattacks, the Washington Post reported on Friday.
DHS in May reported that there had been an "active series" of cyber attacks on gas pipeline companies' computer networks since last December (see NGI, May 14). DHS said it was working with the FBI and other federal agencies, as well as pipelines, to identify the cyber intruders.
Saudi Aramco, the state-owned oil company of the Kingdom of Saudi Arabia, recently reported that its main internal network services were attacked Aug. 15 "by a malicious virus that originated from external sources and affected about 30,000 workstations." Primary enterprise systems of the company's exploration and production were unaffected and production plants remained fully operational, according to Saudi Aramco. And Quatar's RasGas Company Ltd. said its office computer systems were affected by a virus on Aug. 27. Operational systems remained secure, and the production and supply of liquefied natural gas, pipeline gas and associated products were uninterrupted by the cyber attack, RasGas said.
Intelligence Press Inc. All rights reserved. The preceding news report
may not be republished or redistributed, in whole or in part, in any
form, without prior written consent of Intelligence Press, Inc.