Congress must do more to protect grid from cyber, nuclear attacks

Congress should pass measures to protect the nation's electric grid against electromagnetic pulses emitted after a nuclear blast, witnesses told a hearing on Tuesday.

When a nuclear warhead detonates at altitudes between 25 and 250 miles, it emits a high-altitude electromagnetic pulse, or EMP, which disrupts and damages electronic systems, including electric grids, William Graham, chairman of the Commission to Assess the Threat to the United States From Electromagnetic Pulse, told the Subcommittee on Emerging Threats, Cybersecurity and Science and Technology. Geomagnetic storms that occur from significant changes in solar wind pressure can have a similar impact, he said.

"Some in government have taken the position that EMP attack and geomagnetic storm disruption are low-probability events," Graham said. "[But] geomagnetic storms will occur -- it is only a question of when, not if. Concerning EMP, the logic of their position is upside down. By ignoring large-scale catastrophic EMP vulnerability, we invite such attack on our infrastructure by adversaries looking to attack us where we are weak, not where we are strong."

In 1962, a U.S. nuclear test at an altitude of about 250 miles above Johnston Island in the Pacific Ocean caused street lighting systems to fail, tripped circuit breakers, triggered burglar alarms and damaged to a telecommunications relay facility in the Hawaiian Islands nearly 900 miles away.

Graham recommended that a bill, H.R. 2195, which would amend the Federal Power Act, address the threat of a cyberattack against the electric grid and address electromagnetic threats from nuclear EMP attacks and large-scale geomagnetic storms.

"An integrated approach to protecting critical electrical infrastructure will be much less expensive and more effective and expedient than any fragmented approach to the problem," he said, adding that the Homeland Security Department has shown "neither an understanding nor a willingness to consider the problem of electromagnetic threats to our country."

Other critics have said the bill would not prompt owners and operators of electrical facilities to do their part to enhance cybersecurity and should be expanded to address other components of the nation's critical infrastructure such as transportation and water.

Subcommittee chairwoman Yvette Clarke, D-N.Y., criticized industry for not addressing the risks of EMP attacks or cyberattacks against the electric grid. "The private sector develops its own security standards [and] the private sector also oversees compliance with these standards," she said. "In short, the private sector has the responsibility for securing the grid from electromagnetic events and cyberattacks."

Clarke pointed to reports from the North American Electric Reliability Corp., which develops security standards for power plants, that suggested industry is choosing not to identify critical assets to avoid securing them. According to NERC, 29 percent of power plant owners and operators reported identifying at least one critical asset, and 63 percent of utility companies responsible for transmission of power to customers identified at least one critical asset.

"This effort seems to epitomize the head-in-the sand mentality that seems to permeate broad sections of the electric industry," Clarke said. "It is amazing that many within the industry would gamble with our national and economic security."

NERC released 40 Critical Infrastructure Protection standards designed to defend critical infrastructure from cybersecurity threats and is working on additional standards that are expected to have initial industry approval by the fourth quarter of 2009, said Chief Security Officer Michael Assante. NERC also might incorporate into security standards elements of the National Institute of Standards and Technology's Special Publication 800-53, which provides recommended security controls for federal information systems. These standards don't address EMP directly, though Assante said NERC is looking into the threat.

Federal government should hold emergency authority to take action in case of an attack, but should not set standards for protection of the electric grid, Assante added.

"Preparedness and awareness efforts like the assessments, alerts and standards are necessary, but not sufficient, to protect the system against specific and imminent threats," Assante said. "NERC firmly believes that additional emergency authority is needed at the federal level to address these threats, and NERC supports legislation that would give an agency or department of the federal government necessary authority to take action."