The purpose of the draft is to help create guidelines to bolster the government's readiness for possible attacks against the electric grid and its various assets.
Among other things, the bill would allow the Federal Energy Regulatory Commission (FERC) to direct the actions of utilities and modify rules.
The Senate Committee on Energy and Natural Resources heard testimony from representatives from the American Public Power Association (APPA), the North American Electric Reliability Council (NERC), the Department of Energy and other agencies.
Allen Mosher, senior director of policy analysis and reliability for APPA, which represents publicly owned utilities, told the committee that Congress should continue the industry partnership with government agencies in the U.S. and Canada as well as foster the industry's commitment to monitor the bulk power system and ensure grid reliability.
"Maintaining and enhancing the cyber security of our bulk power control and communication systems is a fundamental element of this developing industry culture," Mosher said.
Mosher called for continued participation in NERC's standards development process to develop mandatory critical infrastructure protection (CIP) standards that are clear, technically sound and enforceable.
Working with the industry, NERC has made a significant commitment of resources to the development of new security standards, he said.
"In fact we've committed some of our scarcest resources — our subject matter experts in cyber security and system operations — to the task of developing draft standards for consideration by the industry," he said.
Mosher recommended a narrowly targeted authority for FERC to issue emergency orders in response to an imminent threat to the bulk power system.
In the case of an imminent threat, he said, time does not allow for classified industry briefings or mitigation measures for a threat. FERC and counterparts in Canada need the authority to direct the electric power industry to take needed action in emergencies, he said.
The electric power industry, and public power utilities in particular, need enhanced authority to protect and keep critical infrastructure information out of the public eye, he said.
There are conflicting statutory obligations to approve CIP standards through public notice and comment, he said, adding that threat and vulnerability information that make such standards necessary should be safeguarded.
Joseph McClelland, director of FERC's Office of Electric Reliability told the committee that his commission does not have sufficient authority to protect the grid against cyber attacks and other security threats to reliability.
This is due in part to FERC's inability to protect sensitive information and its inability to control the content of proposed standards, McClelland said.
McClelland said FERC and NERC are still working with the industry and government agencies to develop security standards to protect the grid.
"However, until such a time as the standards are modified, approved by the commission and implemented by industry, critical facilities will be left unprotected," McClelland said.
Even identifying which parts of the infrastructure are considered critical has been a challenge, he said. Only 29 percent of generation owners and operators reported at least one of their assets as being critical to bulk power grid reliability, he said.
"It is not clear, even today, what percentage of critical assets and their associated critical cyber assets has been identified," he said. "This issue is serious and represents a significant gap in cybersecurity protection."
McClelland stressed to the committee the danger posed by cyber attacks.
"Damage from cyber attacks could be enormous," he said. "A coordinated attack could affect the electrical grid to a greater extent than the August 2003 blackout and cause much more extensive damage."
Cyber attacks can physically damage generation facilities in a way that makes restoration of power take weeks or longer instead of a few hours, he said.
He recommended that legislation be amended to address not only cyber attacks, but also intentional physical malicious attacks against infrastructure that can be equally dangerous.
David Owens, vice president of the Edison Electric Institute's Business Operations Group, said the owners and operators of the bulk power system take cyber security seriously, adding that the companies EEI represents deal with such issues every day.
"Electric utilities are experienced and knowledgeable about how to provide reliable electric service at a reasonable cost to their customers, and they understand how their complex systems operate," Owens said. Because of this, utilities understand the consequences of a potential malicious act as well as how to prevent one.
Cyber security depends on a partnership among utilities, the federal government and suppliers of grid systems and components, he said. At the same time, every utility operates different equipment in different environments, making it difficult to know what will impact the bulk power system and what the threats and vulnerabilities are.
Stressing the need for agencies and utilities to work together, Owens called for any new legislation to grant utilities and regulatory commissions additional authority for dealing with emergency situations that threaten national security and public welfare.
"It is imperative that the government can provide appropriate entities clear direction about actions to be taken, and assurance that those actions will not have significant adverse consequences to utility operations or assets," he said.
Grid technologies are using digital controls more and more, he said. As new smart grid technologies come online, cyber security solutions must be developed in tandem with such systems as much as possible.