Canadian producers wary of U.S. bills on cyber attacks

OTTAWA, CANADA - Canada's electricity industry is concerned unilateral U.S. action to protect the North American power grid from an imminent cyber threat could upset the power supply in Canada.

Four cyber-security bills before Congress contain either weak or no provisions requiring U.S. authorities to consult Canada before taking action to confront an imminent cyber threat to the continental network.

"They've got to recognize that the North American grid is international, it's interconnected, it's integrated.

Consultations, co-operation between governmental authorities on both sides of the border is going to be imperative, otherwise you won't be able to ensure system reliability and you'll probably undermine system reliability," said Francis Bradley, of the Canadian Electricity Association (CEA), representing power generators, utilities and other industry players.

As it stands, where international consultation on an imminent cyber emergency is addressed at all in the draft bills, the language is qualified.

For example, the proposed Bulk Power Protection Act in the House of Representatives recommends consultation with Canada and Mexico "to the extent feasible, taking into account the nature of the threat and urgency of need for action... subject to adequate protections against inappropriate disclosure of security-sensitive information."

Said Bradley: "There has to be very clear and explicit language that makes it critical that there is consultation and co-operation with whoever (in the U.S.) is going to be making orders that will impact the grid."

The complexity of balancing the system, especially if somebody alters something in one portion of the system without coordinating with another portion, can mean the power goes out "even if what they're proposing is the right thing to do," he said. "The right thing to do still has to be done in a coordinated fashion."

Public Safety Minister Peter Van Loan dismissed the association's concern in an interview Friday. "Frankly, if somebody launches an attack and you haven't made yourself technically resilient, it really doesn't matter whether or not the (the U.S.) is consulting with Canadians or not," he said.

"The system is either going to survive or go down in a hurry. What matters more is what is done in advance to prevent that from ever happening," he said.

Successive federal governments in Canada have promised a national cybersecurity strategy since 2004. Van Loan said "fairly advanced work" is underway but would not say when the strategy might be unveiled, only that it will be an "evolving" plan that adapts to the changing threat environment.

He also suggested the onus is on the private owner-operators who control most of Canada's network to do more. "It's often difficult to persuade the decision-makers to make the investments necessary... (but) there is a potential real cost in not investing in appropriate security measures."

In the event of an imminent cyber threat, no single U.S. government entity currently has sufficient authority to issue emergency orders to the private-sector bulk power industry. Two of the congressional bills, one in the House of Representatives and the other in the Senate, propose assigning much of that power to the Federal Electricity Regulatory Commission (FERC), as well as giving it authority to order the power industry to upgrade operational security standards.

The Canadian power-utilities association and the broader North American Electric Reliability Corporation (NERC) support FERC becoming the lead authority during an emergency. But they oppose granting FERC the power to impose new and presumably tougher security standards. That job, they say, is best left to the industry.

What's more, "there (are) some fundamental questions here about jurisdictional sovereignty," said Bradley. "In effect we would be taking orders from FERC, FERC would be determining operating standards in Canada. That doesn't work from a sovereignty standpoint."

Martin Rudner, one of Canada's leading critical-infrastructure experts, believes a bilateral agreement is needed.

"I don't think the United States would act malevolently," said the distinguished research professor emeritus at Carleton University and founding director of the Canadian Centre of Intelligence and Security Studies. "But in an emergency, emergency rules apply. Let's have a bilateral agreement, so that if this happens we may have to ration electricity but we'll ration it rationally."

Bradley and other association officials are to brief congressional staff on their concerns in Washington in December.

"We are not passing judgment on any piece of legislation," he said. "The American legislature will pass whatever legislation they want to pass, we can only provide our perspectives."

U.S. efforts to harden its cyber defences took on new urgency in May when President Barack Obama declared the country's digital infrastructure — the computer systems controlling the nation's critical infrastructure, from oil, gas and power to banking, transport, water and sewage systems — a strategic national asset.

That followed reports in April that cyberspies penetrated the U.S. electrical grid and embedded software programs that could be used to disrupt the system. The intruders, which government sources suspect to be Russians or Chinese, didn't appear to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.

Van Loan said there are no known similar "embedded" threats to the Canadian portion of the international power network, whose high-voltage transmission lines span 340,000 kilometres and serve 334 million people.

American concerns were heightened again November 8, when the former U.S. director of national intelligence, retired admiral Mike McConnell, told 60 Minutes he believes the power grid is the most vulnerable target of a sophisticated cyber attack.

"If I were an attacker and I wanted to do strategic damage to the United States, I would either take the cold of winter or the heat of summer (and) I would probably attack electrical power on the U.S. east coast, maybe the west coast, and attempt to cause a cascading effect," he said.

"All of those things are in the art of the possible from a sophisticated attacker... the United States is not prepared for such an attack."

Derek Burney, a former Canadian ambassador to Washington, also believes the Canada-U.S. power grid is probably a primary cyber target, more so than oil and gas pipelines. Writing in the online edition of Global Brief, Canada's new international-affairs journal, he urged a more robust defence for computer systems, "as well as enhanced information sharing between countries and among targeted industries. Canada and the U.S. should be in the vanguard of states planning appropriate defences against cyber attacks from within and without."


in Year

LATEST Electrical Jobs

Content Community Connection

ELECTRICITY TODAY | Advertisements