Sept. 17, 2003
FERC Notice of Proposed Rulemaking
Mr. KERRY. Mr. President, the front page of the Washington Post recently featured a local graduate student who skillfully mapped the electronic networks that interconnect every business and industrial sector in the American economy. The article emphasized how the information was readily available on the Internet and the associated security concerns. It also discussed the astonishment and alarm among industry leaders upon hearing about it.
Early this year, the Department of Homeland Security published two papers emphasizing the need to secure critical infrastructure from physical and cyber-attacks, including all aspects of the electric power infrastructure system. This was clarified further by the Federal Energy Regulatory Commission (FERC) in its Notice of Proposed Rulemaking on Standard Market Design, which states, holesale electric grid operations are highly interdependent, and a failure of one part of the
generation, transmission, or grid management system can compromise the reliability of a major portion of the grid.
Simply put, experts in the public and private sector, time and time again, acknowledge the vulnerability of the entire national electric power infrastructure and that all aspects should be protected. As blatantly demonstrated by the recent blackouts in the northeastern United States, the viability of the national power grid is an important national security concern.
I am concerned, therefore, that a cyber security standard recently proposed by FERC, which is designed to protect the electric power grid, exempts rocess control systems, distributed control systems, or electric relays installed in generating stations, switching stations and substations from the definition of "critical cyber assets" to be protected.
Despite the clear intent of the Department of Homeland Security and FERC to protect the power system entirely, the proposed rule calls for only partial protection. The FERC decision may mean that power distribution is protected, while power generation remains vulnerable.
Mr. KENNEDY. If the Senator will yield for a comment. I have been made aware that technology exists in the marketplace that is capable of protecting power generation assets. I am aware of at least one company, in fact, a Massachusetts company, that has developed software capable of protecting our power generation assets from cyber attack. If the technology exists, are we not obligated to protect these assets? Protecting transmission without protecting generation is like protecting airports without protecting aircraft. Isn it reasonable, therefore, to conclude that the entire national power grid, including generation, should be protected?
Mr. KERRY. Mr. President, I think the answer is yes. No aspect of the electric power grid should be exempt from this cyber security standard. I urge the ranking member to work with us to address this issue during conference committee consideration of the Energy and Water appropriations bill for fiscal year 2004. With my good friend, the senior Senator from Massachusetts, I ask the Appropriations Committee, in conference with the House of Representatives, to include a requirement that the Federal Energy Regulatory Commission report to the committee and the Congress as to why generating
infrastructure was excluded from the proposed rule.
Mr. REID. I thank the Senator from Massachusetts for brining this issue to my attention. I agree that process control systems, distributed control systems, or electric relays installed in generating stations, switching stations and substations are indeed critical assets of the national electric power infrastructure and should not be exempt from protected assets. I look forward to addressing this issue in conference committee.