DOE, CISA, and FERC Officials Testified About the Cybersecurity of the U.S. Electrical Grid
Washington, D.C. (July 28, 2021)—Yesterday, Rep. Stephen F. Lynch, Chairman of the Subcommittee on National Security, held a hearing to examine the cybersecurity of the U.S. electrical grid, the Biden Administration’s efforts to secure this critical component of our nation’s infrastructure, and whether additional actions are needed to address vulnerabilities in the electrical grid.
“The electrical grid is the backbone of daily life in America,” Chairman Lynch said in his opening statement. “It provides energy to heat our homes, power our hospitals, and charge our smartphones. It is also a priority target for state and non-state cyber adversaries. A successful attack on the electric grid could have devastating consequences for U.S. national security and economic interests.”
The Subcommittee heard testimony from Acting Principal Deputy Assistant Secretary Puesh M. Kumar, from the Office of Cybersecurity, Energy Security, and Emergency Response at the Department of Energy; Executive Assistant Director for Cybersecurity Eric Goldstein from the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security; and Joseph H. McClelland, Director of the Office of Energy Infrastructure Security at the Federal Energy Regulatory Commission.
Administration officials warned that the U.S. electrical grid is vulnerable to cyber attacks and emphasized the persistent and sophisticated nature of the threat posed to the electrical grid by state and non-state cyber adversaries.
- Mr. Goldstein testified that cyber attacks on U.S. critical infrastructure constitute “an immediate threat to our national security, economic prosperity, and public health and safety.” He added, “[T]he possibility of a highly damaging cybersecurity intrusion, affecting a national critical function, such as the provision of power to the American people is certainly a possibility.”
- Mr. McClelland described the potentially catastrophic consequences of a successful cyber attack on the electrical grid, stating, “Widespread disruption of electric service can quickly undermine the U.S. government, its military, and the economy, as well as endanger the health and safety of millions of citizens.”
Witnesses highlighted the Biden Administration’s commitment to securing our nation’s critical infrastructure and described the decisive and meaningful steps it has taken to strengthen the cybersecurity of the U.S. electrical grid.
- Mr. Goldstein testified: “The Biden Administration’s ‘Industrial Control Systems Cybersecurity Initiative’ and ‘Electricity Subsector 100-Day Action Plan’ are a coordinated effort that represents rapid, aggressive actions to confront cyber threats from adversaries who seek to compromise critical systems that are indispensable to U.S. national and economic security.”
- While acknowledging that “we don't manufacture large power transformers in the United States anymore,” Mr. Kumar testified: “Understanding the supply chain of our critical energy systems is very important to us. To that end, the President issued an executive order really focused on America's supply chains. And one of the key components of that is looking at those critical components, like transformers … that are so critical to the reliability of our electric grid and where are we manufacturing a lot of those components.”
Members and witnesses stressed that additional steps are needed to mitigate growing cybersecurity threats to the U.S. electrical grid.
- In response to a question from Rep. Hank Johnson about the federal government’s visibility into cyber incidents targeting private utility companies, Mr. Goldstein stated, “We know that there are still, across sectors, a number of intrusions today that are not reported to the U.S. Government.” This lack of reporting “precludes the government, including CISA, from offering assistance to the victim, it limits our ability to develop actionable information that could be used to protect other victims before similar events occur, and it limits our ability to understand the extent of national risk.”
- Mr. Goldstein further testified that “as a general point, efforts that we can take as a country to drive adoption of better security controls will lead to improvements to our national security, economic security, public health and safety. There are a number of roads that we can take to that outcome,” and added that “certainly regulation and standards is one path to that end; there may be other incentives that could also enable the same investment,” such as “broader cybersecurity grants.”
- In May 2021, the Government Accountability Office recommended that the Department of Energy should conduct an updated assessment about the potential impacts of a cyber attack on electrical distribution systems. In response to questioning from Rep. Debbie Wasserman Schultz, Mr. Kumar committed that the Department of Energy would conduct such an assessment.