WASHINGTON — The president of the Electric Cooperatives of Arkansas urged a congressional panel Tuesday to put the brakes on imposing new cyber security mandates on power utilities, saying voluntary industry standards are working.
"Don’t short circuit the existing framework," said Duane Highley, president of the cooperative that serves more than 500,000 Arkansans.
Highley testified before the House Energy and Commerce Committee, which is examining the steps that the federal government and private sector are taking to bolster the security of the electric grid against cyber attacks.
The number of reported cyber security incidents affecting critical infrastructure control systems increased from nine in 2009 to 198 in 2011, according to a federal report.
In February, President Obama issued an executive order directing the National Institute of Standards and Technology to develop a "Cybersecurity Framework" aimed at reducing cyber risks to critical infrastructure.
Republicans and Democrats on the committee say it is imperative that the nation’s electric grid is well protected against attacks from cyberspace as well as unconventional weapons like an "energy pulse" such as the one that fictionally took down the Las Vegas grid in "Ocean’s Eleven."
But the two sides disagree on the right approach.
Republicans spoke favorably of a "voluntary" approach that would have the government provide incentives — such as tax credits and liability protections — to encourage an industry-led effort to bolster security of critical infrastructure.
Democrats raised concerns that some regulations may be needed to insure the protection of the electric grid and other critical infrastructure.
Rep. Henry Waxman, D-Calif., polled 150 electric utilities about their efforts to protect the electric grid and found that most utilities comply with mandatory reliability standards but not voluntary recommendations against a specific threat.
Twenty-one percent of investor-owned utilities implemented the North American Electric Reliability Corp. recommendation to protect against the Stuxnet virus – a computer worm designed to attack Iran’s nuclear facilities, he noted.
"The failure of utilities to heed the advice of their own industry-controlled reliability organization raises serious questions about whether the grid will be adequately protected by a voluntary approach to cyber security. When specific threats arise, prompt action is needed," Waxman said.
Rep. Marsha Blackburn, R-Tenn., argued that cyber security is "uniquely ill-suited" for federal regulation that cannot keep up with rapid changes in technology.
"Our focus should be on developing consensus public policy that puts American businesses in the driver’s seat and allows cooperation and collaboration, not top-down and one-size-fits all mandates," Blackburn said.
Highley echoed Blackburn’s assessment, noting that industry collaboration is essential to maintaining such a complex system.
"The grid is an extremely complex machine and changes need to be carefully coordinated with all stakeholders," he said.
Patrick Gallagher, director of the National Institute of Standards and Technology, testified that the Obama administration "strongly supports" a sector-led solution but anticipates needing some additional legislation to protect critical infrastructure.