Testimony we heard about cumbersome processes and the inability to react quickly didn't sound too promising, but you can read the excerpts below or scan the full testimony here and decide for yourself.

GAO – threats are evolving and growing

Gregory C. Wilshusen, Director of Information Security Issues with the Government Accounting Office (GAO), noted that threats to systems supporting critical infrastructure—which includes the electricity industry and its transmission and distribution systems—are evolving and growing. He pointed out that the increased reliance on IT systems and networks exposes the electric grid to potential and known cybersecurity vulnerabilities, including:

·         An increased number of entry points and paths that can be exploited by potential adversaries and other unauthorized users

·         The introduction of new, unknown vulnerabilities due to an increased use of new system and network technologies

·         Wider access to systems and networks due to increased connectivity

·         An increased amount of customer information being collected and transmitted, providing incentives for adversaries to attack these systems and potentially putting private information at risk of unauthorized disclosure and use

FERC – we need more authority

Joseph McClelland, who is Director of the Office of Electric Reliability at the Federal Energy Regulatory Commission (FERC), talked about FERC's mandate to protect the nation's bulk power system – but said FERC lacks the authority to adequately address cyber or other national security threats to the transmission and power system. He told the panel:

"Widespread disruption of electric service can quickly undermine the U.S. government, its military, and the economy, as well as endanger the health and safety of millions of citizens. Given the national security dimension to this threat, there may be a need to act quickly to protect the grid, to act in a manner where action is mandatory rather than voluntary, and to protect certain information from public disclosure. The Commission’s current legal authority is inadequate for such action. This is true of both cyber and physical threats to the bulk power system that pose national security concerns."

NERC – deep concerns about the changing risk landscape

Gerry Cauley, President and CEO of the North American Electric Reliability Corporation (NERC).noted that today NERC’s reliability standards are mandatory and enforceable within the U.S. for the bulk power system and include Critical Infrastructure Protection (CIP) Standards. Nonetheless, he told the Senate panel that the landscape is changing from conventional risks – such as extreme weather and equipment damage – ”to new and emerging risks where we are left to imagine scenarios that might occur and prepare to avoid or mitigate the consequences." He said NERC has concluded "the most effective approach against adversaries exploiting the newer risk landscape is through thoughtful application of resiliency principles" which require proactive readiness.