The Russian connectionLawmaker demands answers about Russian cyberattacks on electric utilities

Senator Edward J. Markey (D-Massachusetts, last week queried electric utilities and federal agencies about last year’s reported cyberattack by Russia on U.S. electrical utilities and the steps being taken to identify vulnerabilities and protect from future attacks.

In July, the Wall Street Journal reported that in 2016 and 2017, hackers backed by the Russian government successfully penetrated the U.S. electric grid through hundreds of power companies and third-party vendors. Russian hackers gained access to control rooms, putting them in a position to disrupt U.S. power flow. In his letters, the Senator warns that continued attacks should not be a surprise as the Department of Homeland Security issued a warning alert as far back as 2013, and in 2016, the Department of Energy found that “the cybersecurity landscape is characterized by rapidly evolving threats and vulnerability, juxtaposed against slower-moving deployment of defense measures.”

“From elections to electricity, we know that Russia will continue to launch cyberattacks on our systems,” said Markey. “Unless we act now, the United States will continue to remain vulnerable to the twenty-first century cyberarmies looking to wage war by knocking out America’s electricity grid. We need answers and assurances from stakeholders who operate and oversee the grid that they are doing everything possible to secure our nation’s electrical system against devastating damage from physical or cyber-terrorist attacks.”

In his letter to the utilities, Senator Markey asks for responses to questions that include:

•  Were you a victim of Russian cyberattack, and how was your system was infiltrated? For each of the past five years, have you been subject to an attempted or successful physical or cyberattack?

•  What steps are being taken to prevent future attacks?

•  What steps are being taken to address cyber-vulnerabilities such as active hacking measures and corruption of third-party firmware or software?

In his letter to the federal agencies, Markey requests more information about the roles each agency play in identifying, analyzing, responding to, or creating new rules and standards to address cyber vulnerabilities of electric utilities; how each agency works with other federal agencies to coordinate efforts around cybersecurity of electric utilities; efforts to engage both electric utilities and critical third party vendors to protect electric utility assets against vulnerability; and any efforts to proactively identify vulnerabilities in the U.S. electric grid.

Letters were sent to electric utilities PG&E, Florida Power and Light, Duke Energy Carolinas, LLC, Consolidated Edison CO-NY, Exelon Corporation, Entergy Corporation, Xcel Energy, Southern Company, National Grid, and Southern California Edison; federal power marketing organizations Tennessee Valley Authority, Salt River Project, Bonneville Power Administration, and Western Area Power Administration; federal agencies Department of Homeland Security, Department of Energy, and Federal Energy Regulatory Commission (FERC); and NERC.

A copy of the letter sent to the utilities can be found here. A copy of the letter sent to the federal power marketing organizations can be found here. A copy of the letter sent to the federal agencies can be found here. A copy of the letter sent to the North American Reliability Corporation can be found here.