Blackout! Are We Prepared to Manage the Aftermath of a Cyber-Attack or Other Failure of the Electrical Grid?
2167 Rayburn House Office Building
This is a hearing of the Subcommittee on Economic Development, Public Buildings, and Emergency Management.
Summary of Subject Matter
Official Hearing Transcript
Subcommittee on Economic Development, Public Buildings, and Emergency Management
Hearing on “Blackout! Are We Prepared to Manage the Aftermath of a Cyber-Attack or Other Failure of the Electrical Grid?”
(Remarks as Prepared)
Today we are holding a hearing to explore a critical and timely topic. There have been numerous Congressional hearings on cybersecurity and how to stop the “bad guys.” What has not been discussed in great detail is what the consequences will be from a massive cyberattack that brings down, for example, a large portion of the electrical grid for an extended period of time.
The purpose of today’s hearing is to answer an important question: with respect to cyber threats to the electrical power system, what consequences should the federal government tell states and local governments to prepare for? In other words, for how many people and for how long should states plan on being without power?
The federal government does this now for almost every significant hazard we face. Whether it is a category 5 hurricane hitting Miami or an 8.0 earthquake in Los Angeles, the federal government has realistic estimates or scenarios for states to plan.
The federal government does not have this basic planning scenario for a cyber threat to the power system and there is a huge disparity in what different groups think is a potential scenario for which states and local governments should prepare.
And the difference would be significant for local governments. If the power is out for a few days, it can be an inconvenience, but if it is out for several weeks, or a month or more, the local government has to potentially plan for increased public safety, water treatment, sheltering or evacuation, fuel delivery for generators and many other contingencies.
What should we plan for? Ted Koppel in his book says we should plan on six to 18 months of uninterrupted blackouts. The industry seems to say a cyberattack could at most cause an interruption in terms of days, not weeks.
Today, we are going to hear testimony from the Federal Emergency Management Agency, the Department of Energy, the Department of Homeland Security's National Protection and Programs Directorate, the Congressional Research Service, the North American Electric Reliability Corporation, and representatives from the electrical industry. I hope to get an answer to this question for state and local governments.
Imagine what we would do without electricity for a day? A week? A month? A year? Virtually all critical infrastructure is dependent on the electrical grid, particularly the “lifeline sectors”—telecommunications, transportation, water, and financial services. And if the goal of the “bad guys” is to collapse the U.S. economic system, they are going to try to cut off the power. There have been reports of hacking attempts on electrical facilities by foreign and domestic parties. Our national security, public safety, economic competitiveness, and personal privacy are at risk.
According to the Department of Homeland Security, the energy sector was the target of more than 40 percent of all reported cyberattacks. And even more disconcerting was the December 2015 cyberattack on Ukraine's electric grid, which affected four dozen substations and left a quarter million people without power. At the same time as the attack on the grid itself, call centers were hit with a telephony denial-of-service attack as customers were trying to report the outages. If anyone thought this was a glitch, think again.
The electrical grid is not only under attack from cyberspace, the electric power sector is all too familiar with the devastation storms like Hurricane Sandy can leave behind, or physical attacks like the 2013 incident at the Metcalf Substation in California.
Thankfully, in the cases of storms and physical attacks, the power sector has strong plans in place and redundant systems to restore power quickly and avoid the loss of life and property. But I am concerned about a cyberattack. Are their similar plans in place for industry and state and local government? Will those redundancies provide the same types of protections?
Most recently, I have been discussing this topic with constituents in my district asking what they will do in their communities if the power is out for a prolonged period of time. Honestly, most of them don’t know because we don’t know what to plan for. We have brought together the right people here to tell us.
We are also going to discuss what preparedness looks like, best practices, and how we can achieve a greater level of readiness. I am encouraged to hear the industry talk about an “all-hazards” approach and focusing on mitigating the greatest risks, but I think there are some unique characteristics of the cyber threat that require specific planning guidelines.
I know we cannot “gold plate” the system, but given the interdependency of electricity with our daily lives, it is crucial that we understand the risks and be prepared for the likely consequences possible from the failure of that system.
# # #