U.S. grid-security measures may hurt Canadian companies

be an “evolving” plan that adapts to the changing threat environment. He also suggested the onus is on the private owner-operators who control most of Canada’s network to do more. “It’s often difficult to persuade the decision-makers to make the investments necessary … (but) there is a potential real cost in not investing in appropriate security measures.”

In the event of an imminent cyber threat, no single U.S. government entity currently has sufficient authority to issue emergency orders to the private-sector bulk power industry. Two of the congressional bills, one in the House of Representatives and the other in the Senate, propose assigning much of that power to the Federal Electricity Regulatory Commission (FERC), as well as giving it authority to order the power industry to upgrade operational security standards.

The Canadian power-utilities association and the broader North American Electric Reliability Corporation (NERC) support FERC becoming the lead authority during an emergency. They oppose, however, granting FERC the power to impose new and presumably tougher security standards. That job, they say, is best left to the industry. What is more, “there (are) some fundamental questions here about jurisdictional sovereignty,” said Bradley. “In effect we would be taking orders from FERC, FERC would be determining operating standards in Canada. That doesn’t work from a sovereignty standpoint.”

Martin Rudner, one of Canada’s leading critical-infrastructure experts, believes a bilateral agreement is needed. “I don’t think the United States would act malevolently,” said the distinguished research professor emeritus at Carleton University and founding director of the Canadian Center of Intelligence and Security Studies. “But in an emergency, emergency rules apply. Let’s have a bilateral agreement, so that if this happens we may have to ration electricity but we’ll ration it rationally.”

Bradley and other association officials are to brief congressional staff on their concerns in Washington in December. “We are not passing judgment on any piece of legislation,” he said. “The American legislature will pass whatever legislation they want to pass, we can only provide our perspectives.”

MacLeod writes that U.S. efforts to harden its cyber defenses took on new urgency in May when President Barack Obama declared the country’s digital infrastructure - the computer systems controlling the nation’s critical infrastructure, from oil, gas and power to banking, transport, water and sewage systems - a strategic national asset.

That followed reports in April that cyberspies penetrated the U.S. electrical grid and embedded software programs that could be used to disrupt the system. The intruders, which government sources suspect to be Russians or Chinese, didn’t appear to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.

Van Loan said there are no known similar “embedded” threats to the Canadian portion of the international power network, whose high-voltage transmission lines span 340,000 kilometers and serve 334 million people.

American concerns were heightened again on 8 November, when the former U.S. director of national intelligence, retired admiral Mike McConnell, told 60 Minutes he believes the power grid is the most vulnerable target of a sophisticated cyber attack. “If I were an attacker and I wanted to do strategic damage to the United States, I would either take the cold of winter or the heat of summer (and) I would probably attack electrical power on the U.S. east coast, maybe the west coast, and attempt to cause a cascading effect,” he said. “All of those things are in the art of the possible from a sophisticated attacker … the United States is not prepared for such an attack.”

Derek Burney, a former Canadian ambassador to Washington, also believes the Canada-U.S. power grid is probably a primary cyber target, more so than oil and gas pipelines. Writing last week in the online edition of Global Brief, Canada’s new international-affairs journal, he urged a more robust defense for computer systems, “as well as enhanced information sharing between countries and among targeted industries. Canada and the U.S. should be in the vanguard of states planning appropriate defenses against cyber attacks from within and without.”