Coming only weeks after he said FERC was powerless to respond to cyber threats to energy infrastructure, Chairman Jon Wellinghoff last Thursday announced the creation of an office to help the Commission focus on cyber and physical security risks to energy facilities under its jurisdiction, such as interstate natural gas pipelines, gas storage facilities and the transmission of electricity in interstate commerce.
The Office of Energy Infrastructure Security (OEIS) will aid the Federal Energy Regulatory Commission (FERC) in identifying potential risks to FERC-jurisdictional facilities from cyber attacks and such physical threats as electromagnetic pulses, as well as seeking solutions to the problem. OEIS, which will have a staff of 10-15, will be led by Joseph McClelland, who has been director of FERC's Office of Electric Reliability since 2006.
"Creating this office allows FERC to leverage its existing resources with those of other government agencies and private industry in a coordinated, focused manner," Wellinghoff said. "Effective mitigation of cyber and other physical attacks requires rapid interactions among regulators, industry and federal and state agencies."
OEIS will focus on developing recommendations for identifying, communicating and mitigating potential cyber and physical security threats and vulnerabilities to FERC-jurisdictional energy facilities using the Commission's existing statutory authority; providing assistance, expertise and advise to other federal and state agencies, jurisdictional utilities and Congress with respect to cyber and physical threats to jurisdictional energy facilities; participating in interagency and intelligence-related coordination and collaboration efforts with appropriate federal and state agencies and industry representatives on cyber and physical security matters; and conducting outreach with users and operators of energy delivery systems regarding cyber and physical threats to jurisdictional energy facilities.
Earlier this month, Wellinghoff expressed his exasperation with the lack of a federal system for reporting threats to energy infrastructure (see NGI, Sept. 10). "Nobody has adequate authority with respect to the both electric and gas infrastructure in this country regarding known threats and vulnerabilities," Wellinghoff said during a media breakfast at the National Press Club sponsored by IHS The Energy Daily. "If I had a cyber threat that was revealed to me in a letter tomorrow, there's little I could do the next day to ensure that that threat was mitigated effectively by some action by the utilities that were targeted," he said.
"I've said this for six years now, and I've also said I don't care who has the authority, but Congress should give somebody the authority. It could be me, it could be DHS [Department of Homeland Security], it could be DOE [the Department of Energy], it could be whoever -- it could be a cyber czar in the White House -- I don't care who has the authority, just give it to somebody so we can do something. Because we do get reports on a periodic basis of things that are happening out there that are very concerning to me."
The DHS in May reported that there had been an "active series" of cyber attacks on gas pipeline companies' computer networks since last December (see NGI, May 14). At the time, DHS said it was working with the FBI and other federal agencies, as well as pipelines, to identify the cyber intruders. The department has not said whether the matter has been resolved.
And taking matters into his own hands after Congress failed to pass the Cybersecurity Act of 2012 this summer, President Obama reportedly is preparing an executive order aimed at protecting critical national infrastructure, including power plants, and natural gas and crude pipelines, from cyber attacks (see NGI, Sept. 17).
According to a draft of the order obtained by the Associated Press, the new rules propose security standards for critical infrastructure and create a council of federal agencies that would report to the president on cyber threats. An executive order had not yet been posted on the White House website on Friday.
In July Obama called on the Senate to pass comprehensive legislation aimed at protecting the United States from a computer-based attack, which could cripple the infrastructure of the country (see NGI, July 23). In an opinion piece published in the Wall Street Journal, Obama said hackers had penetrated computer networks of companies that operate natural gas pipelines, and that "computer systems in [other] critical sectors of our economy -- including the nuclear and chemical industries -- are being increasingly targeted."
Intelligence Press Inc. All rights reserved. The preceding news report
may not be republished or redistributed, in whole or in part, in any
form, without prior written consent of Intelligence Press, Inc.