[Congressional Record Volume 160, Number 49 (Thursday, March 27, 2014)]
[Senate]
[Pages S1835-S1837]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]
GRID SECURITY
Ms. MURKOWSKI. Mr. President, first, I thank my friend from Maine and
appreciate the conversations we have had in this past week. He has
taken a journey to the north that most of us only dream about. He is
engaged in issues I care deeply about as it relates to the Arctic.
Although I know that was not the discussion my colleague was speaking
to earlier, I just wanted to note while my friend from Maine was still
on the floor that I look forward to working on these issues of great
importance not only to my State but truly to our entire Nation and
Arctic Nation.
I come to the floor this evening to speak very briefly about the
physical security of our Nation's power grid, which is a very important
subject. Recently, there were stories in the Wall Street Journal about
an attack on the California Metcalf substation that happened last April
and has drawn considerable attention. While those stories about that
attack highlighted potential vulnerabilities, my principal focus will
be to highlight not only the safeguards that are already in place to
protect the Nation's bulk power system but also to announce a step that
I believe is now necessary to prevent the undue release of sensitive
nonpublic information.
First and foremost--and I think this is important for people to
recognize--it is important to remember that during the Metcalf
incident, the PG&E system did not lose power. In fact, it was an
incident that many didn't know had taken place until months after
because there was no loss of power. I think this fact emphasizes the
grid's resiliency and the importance of building redundancy into the
bulk power system.
As usual, the electric industry has learned from and responded to--
appropriately responded--the California incident. At the end of last
year the Departments of Energy and Homeland Security--along with the
North American Electric Reliability Corporation, or NERC, along with
the Federal Regulatory Commission, or FERC, and the FBI began a cross-
country tour of 10 cities in order to brief utility operators and local
law enforcement on the lessens that were learned from Metcalf.
Government officials discussed mitigation strategies and meeting
participants were able to develop some pretty important relationships
between first responders and the industry.
In fact, as a result of the mandatory requirements of the 2005 Energy
Policy Act, the electric industry has invested significant resources to
address both physical and cyber security threats and vulnerabilities.
Through partnerships with various Federal agencies, the industry is
keenly focused on preparation, prevention, response, and recovery.
For example, NERC holds yearly security conferences and a grid
exercise which tests and prepares industry on physical and cyber
security events. Yet former FERC Chairman Jon Wellinghoff was quoted in
the Wall Street Journal calling the Metcalf incident ``the most
significant incident of domestic terrorism involving the grid that has
ever occurred.''
In my view, comments such as these are certainly sensational.
Depending on the factual context, they can actually be reckless.
Although the topic of physical security warrants discussion--
absolutely warrants discussion and debate--we have to be prudent about
information for the public sphere. Many government leaders are privy to
confidential and sensitive information that if not treated carefully
could provide a roadmap to terrorists or other bad actors about our
vulnerabilities. At a minimum, government officials have a duty to
safeguard sensitive information that they learn in their official
capacity.
A story that appeared in the Wall Street Journal on March 13 was, I
believe, shocking because it included sensitive information about the
Nation's energy infrastructure that the newspaper said came from
documents that were created at FERC. Although the Wall Street Journal
did not name specific facilities at risk, it did detail the geographic
regions and the number of facilities that if simultaneously disabled
could cause serious harm. The March 13 article claimed the potential
for a national blackout.
[[Page S1836]]
I want to commend FERC Chair Cheryl LaFleur for her statement
regarding the publication of this information. I thank Commissioner
Tony Clark as well for his statement about the matter.
I think it is fortunate our current FERC Commissioners are an
independent lot. I understand that the Commission is looking into this
matter, including the question of how sensitive internal FERC documents
made their way into a very high-profile news article. I urge FERC to be
very diligent in this matter and truly leave no stone unturned.
I have grave questions about the irresponsible release of nonpublic
information that unduly pinpoints potential vulnerabilities of our
Nation's grid. If this conduct is not already illegal, I have suggested
it should be. The source of the leaked information appears to be
someone with access to highly sensitive, narrowly distributed FERC
documents. Releasing this sensitive information for publication has put
the Nation potentially at greater risk and potentially endangered
lives, including those of the many good people who are faithfully
working every day to maintain and to protect the grid.
In order to learn what has happened and to determine how better to
safeguard critical information as steps are being taken to make the
grid less vulnerable, my colleague, the chairman of the energy
committee, Senator Landrieu, and I have written to the inspector
general of the Department of Energy whose oversight includes FERC.
It is our understanding that the IG has already begun an inquiry into
this matter. We have asked him to conclude his inquiry as soon as
possible. We have also asked for his immediate assurance that if the
inquiry must ripen into an investigation, that he will--as we have
every confidence he would--follow the information he learns wherever it
leads.
We are eager to receive recommendations to improve the safeguard of
keeping sensitive information from disclosure. We have also asked the
IG to look into the obligations of current and former FERC
Commissioners and employees with respect to nonpublic information. I
would certainly hope the inspector general's inquiry leads to the
identification of the person or persons who provided this sensitive,
nonpublic information to the media, but even if it does not, even if we
learn the leak of this information could have been accomplished without
the violation of any disclosure restrictions, we will consider
introducing legislation to make sure that in the future the disclosure
of nonpublic information about our energy infrastructure that puts our
Nation at risk is a violation of Federal law. We must remember that the
possibility of a physical attack that disables key parts of the grid
has always been a risk. Again, in this instance, though, with the
Metcalf instance, our system worked and no power was lost. Therefore, I
urge a measured approach when evaluating our next steps in response to
Metcalf. Erecting barriers at every transmission substation and
surveillance of every inch of transmission is not feasible. I am
concerned these types of measures will potentially cost billions of
dollars with little impact. There must also be a balance between the
measures related to physical security and the costs that would likely
be passed through to consumers.
On March 7, the FERC used the grid reliability framework that
Congress established in the 2005 Energy Policy Act by directing NERC to
establish standards addressing physical vulnerabilities to better
protect our Nation's power grid. NERC has 90 days to develop its
proposed standards through a collaborative process. The proposed
standard will then be reviewed independently before it is submitted to
the FERC.
Our Energy Policy Act standards are foundational. Constant
information sharing between government and industry, coupled with
alerts for rapid response, are also key tools for dealing with the
changing state of security.
As policymakers we must include physical security as a key issue in
our decisions. We must also take measured steps to protect the grid,
but we shouldn't sensationalize the threat. I commend NERC and FERC for
starting the standard-setting process, and I urge all of the
participants to strike this balance between measures related to
physical security and costs and benefits for electric customers and the
broader public as a whole.
Again, I thank the chairman of the energy committee for her
willingness to join me on this letter which again I feel is very
important as we begin this review through the inspector general. I know
the Presiding Officer, as a valued member of the energy committee, is
very keenly aware of these issues when we talk about our grid
reliability threats to not only the physical security of our
infrastructure but most certainly the cyber security threats we face as
well.
I appreciate the indulgence of the Chair this evening.
I ask unanimous consent that the letter I referenced in my remarks be
printed in the Record.
There being no objection, the material was ordered to be printed in
the Record, as follows:
U.S. Senate, Committee on Energy
and Natural Resources,
Washington, DC, March 27, 2014.
Hon. Gregory Friedman,
Inspector General, Department of Energy, Washington, DC.
Dear Inspector General Freidman: The Committee on Energy
and Natural Resources is responsible for oversight of the
Federal Energy Regulatory Commission (the Commission, FERC)
and has jurisdiction over the laws the Commission
administers, including the Federal Power Act (FPA). In the
Energy Policy Act of 2005, Congress amended the FPA, adding
section 215, to establish the framework for ensuring that the
nation's bulk power system (BPS or electric grid) is
reliable.
Recent reports in The Wall Street Journal (WSJ) about grid
security (see attached) were shocking in their detail and
appear to have been based upon highly sensitive, narrowly
distributed FERC documents that may have pinpointed
vulnerabilities of the BPS. In the wrong hands, such
documents potentially could provide a roadmap for those who
would seek to harm the nation by intentionally causing one or
more power blackouts.
We are writing to respectfully request that the Department
of Energy Office of Inspector General (OIG) conduct a full
and thorough inquiry regarding the apparent leak to the WSJ
of sensitive information regarding physical threats to the
electric grid. As part of this effort we ask not only that
the OIG review the past, but also provide recommendations
regarding how to avoid a repeat of this very unfortunate
incident in the future.
We understand that your office has initiated a preliminary
review of this matter on its own initiative and we commend
you for doing so. We are also aware that the Federal Energy
Regulatory Commission (FERC) is conducting its own
investigation. We commend the FERC for this action, as well.
However, we note that it can be difficult for agencies to
effectively investigate their own actions which is why we are
making this request to the OIG.
The internal FERC documents regarding grid security that
appear to have been disclosed to the WSJ, are sufficiently
sensitive and potentially harmful to grid security that we
believe it would not be prudent to highlight specifically the
issues they raise at this time as part of this letter. For
the same reason, many of the questions that we request that
OIG answer also should not be made public. Consequently, we
will provide to OIG on a non-public basis associated
questions.
We do not know if the FERC documents that apparently form
the basis of the news reports are credible, but in any case,
disclosing and sensationalizing them, as it appears was the
work of the person who gave them to the newspaper, is highly
irresponsible or worse.
Even if your inquiry does not lead to the identification of
the person who provided this sensitive non-public information
to the media (and we hope it will), if you conclude that the
unauthorized disclosure of this information could have been
accomplished without the violation of any disclosure
restrictions, legislation could well be necessary. In that
event, we will consider introducing legislation to make sure
that the unauthorized disclosure of non-public information
about energy infrastructure that puts our nation at risk is a
violation of federal law.
We ask you to conclude your inquiry as soon as possible. We
have every confidence that you will follow the information
you uncover wherever it leads. Nevertheless, we seek your
immediate assurance that if the results of your initial
inquiry indicate that applicable Federal law and regulations
may have been violated by any current or former Federal
employee or official that you would then initiate a formal
investigation using all the powers of your office.
We are eager to receive recommendations concerning the
preparation, handling and proper treatment of the sensitive
information that forms the basis of the news reports and any
related information. We also ask you to examine the legal or
regulatory obligations of current and former FERC
commissioners and employees with respect to non-public
information, especially of the type covered by this letter
and the associated non-public attachment.
Thank you for your consideration. We intend to be fully
supportive of your inquiry.
[[Page S1837]]
Again, we look forward to having the benefit of your findings
as soon as possible.
Sincerely,
Mary Landrieu,
Chairwoman.
Lisa Murkowski,
Ranking Member.
I yield the floor.
____________________