Superstorm Sandy, recent cyberattacks highlight need to address potential cyber and physical risks to energy facilities

WASHINGTON, D.C. – Congressman Edward J. Markey (D-Mass.), a senior member of the Energy and Commerce Committee, sent a letter today to Chairman Fred Upton (R-Mich.) calling on the lawmaker to take immediate action to pass the bipartisan GRID Act to secure the nation’s electrical grid against damage from cyberattack or natural disaster. In the last Congress, Reps. Markey and Upton introduced H.R. 5026, the Grid Reliability and Infrastructure Defense (GRID) Act, which gives the Federal Energy Regulatory Commission (FERC) the clear authority to issue regulations to combat known cyber-vulnerabilities. The legislation passed by a vote of 47-0 in the House Energy and Commerce Committee, and unanimously in the full House of Representatives. In this Congress, the electric utility sector has lobbied aggressively against the measure and key House Republicans continue to block adoption of this critical legislation.

Text of Rep. Markey’s letter to Rep. Upton can be found below. A copy of the letter can be found HERE.

November 20, 2012

The Honorable Fred Upton
Chairman, House Committee on Energy and Commerce
The United States House of Representatives

Dear Chairman Upton,

I am writing to urge you in the strongest possible terms to take immediate action to pass the bipartisan GRID Act you co-authored in the last Congress, so that we can secure our nation’s electrical grid against devastating damage from physical or cyber terrorist attacks or from natural disasters. As the widespread and, in some cases, still ongoing power outages from superstorm Sandy have shown us, our electric grid is too fragile and its disruption is too devastating for us to fail to act. Given this urgency, it is critical that the House act immediately in a bipartisan manner to ensure our electrical infrastructure is secure.

As I am sure you are aware, a five-year old report from the National Research Council was declassified and released on November 14  . As this report makes clear, the kind of power loss seen from the recent disaster in New Jersey and New York is not even the most devastating possibility. Physical damage by terrorists to large transformers could disrupt power to large regions of the country and could take months to repair. This is not a hard-to-imagine scenario. The report indicates that “such an attack could be carried out by knowledgeable attackers with little risk of detection or interdiction.” Widespread, extended power disruption would “not immediately kill many people,” but if they” were to occur during times of extreme weather, they could also result in hundreds or even thousands of deaths due to heat stress or extended exposure to extreme cold.” Although this report is five years old, the vulnerabilities it identifies remain today.

At a recent address in New York, Secretary of Defense Leon Panetta identified a “cyber-attack perpetrated by nation states or extremist groups” as capable of being “as destructive as the terrorist attack on 9/11 . ” Specific vulnerabilities, for example to the Stuxnet virus that so effectively damaged uranium enrichment facilities in Iran, have been identified in the control systems for the nation’s electrical grid. Chevron, Inc., recently acknowledged that Stuxnet had infected its systems back in 2010  . In August, the Shamoon virus destroyed data on 60% of the computers on the internal network of the Saudi Arabian Oil Co., effectively crippling one of the world’s largest oil exporters  .  Although the North American Electric Reliability Corporation has suggested mitigating measures that could prevent Stuxnet-based attacks and other cyber threats on electrical grid systems, these protections are largely voluntary, have not been widely implemented and the danger remains  .

The Department of Homeland Security has also warned  that hackers have come close to shutting down water treatment facilities and have hacked into our electrical grid .   Reports of cyber-security incidents on everything from dams to nuclear power plants to water treatment facilities skyrocketed nearly 400 percent from 2010 to 2011. And all five heads of the Federal Energy Regulatory Commission -- the agency that should be our first line of defense -- told me  last year that they ranked cyber-threats at the very top of their list of threats to electricity reliability.

In the last Congress, we worked together in a bipartisan effort to pass the GRID Act (H.R. 5026; 111th Congress) in the House. This bill gave the Federal Energy Regulatory Commission the authority to issue rules and orders to protect critical electrical infrastructure. It was approved 47-0 in the Energy and Commerce Committee, a testament to its importance and the hard work we all put in to achieve consensus, and passed the House by voice vote in June 2010. And when I asked all five FERC Commissioners  whether they felt they needed the authority our bill provides in order to better secure the grid, they all said yes.  As you said when we introduced the bill, “the security of our Nation's energy infrastructure from attack is one of the most important issues that this Congress might address this year, and it's not an issue that we can take lightly. ” I agree completely.  I stand ready to work with you to take immediate action on this critical problem.


Edward J. Markey