WASHINGTON – Fear of a devastating cyberattack against the nation's aging power grid prompted legislators to propose further government oversight of the electric industry Thursday.
The most serious attacks could destroy transformers or other equipment and knock out power for months,witnesses told a House committee.
Under the proposed legislation,government regulators would have the authority to compel power companies to secure their computer systems. Trade groups and government officials agree current mechanisms either don't move fast enough to counter a cyberattack or can't be enforced.
Government engineers demonstrated one such attack last year,nicknamed Aurora,which remains a closely guarded secret.
Officials gave few details about Aurora to power companies,which complained they didn't have enough information to fix the problem completely,said Steven T. Naumann,a vice president at Chicago-based electric utility Excelon Corp.
“Without that,we feel like we're fighting this battle with one hand tied behind our backs,” Naumann said.
An audit of 30 electric companies that responded to an advisory about Aurora found seven had taken the steps recommended in the warning,but only two had actually solved the problem.
“The most important thing is access to information,” Naumann said.
Trade groups voiced cautious support for the legislation at the hearing before the House Energy and Commerce's Subcommittee on Energy and Air Quality. The American Public Power Association asked legislators to limit the scope of the law and not address other national security threats,such as physical sabotage.
Power companies already work with numerous state and federal law enforcement agencies to secure power lines and plants,said Susan N. Kelly,who represents the association.
The law also has the potential to give the Federal Energy Regulatory Commission,which partially regulates electric companies,authority over utilities in Alaska and Hawaii.
Intelligence analysts have documented more than 20 attacks against electric infrastructure worldwide,including nuclear reactors,dams and power plants,according to congressional testimony. In several cases,hackers attempted to extort money from companies in exchange for keeping the lights on. Other incidents appear accidental. In 2003,a computer worm crashed computers at the Davis-Besse nuclear power plant in Ohio. The plant was offline at the time.