Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman, ID-Conn., and Ranking Member Susan Collins, R-Maine, Tuesday released the following letter to the Federal Energy Regulatory Commission regarding cybersecurity and the electric grid.
July 17, 2012
The Honorable Jon Wellinghoff, Chairman
Federal Energy Regulatory Commission
888 First Street, NE
Washington, DC 20426
Dear Chairman Wellinghoff:
As you well know, our nation relies on the electric grid in almost every aspect of our lives. It powers our lights, our communications, our businesses, our hospitals, and our emergency first responders. Protecting the grid from accidental or intentional disruption is therefore a matter of national security. An essential aspect of protecting the grid is ensuring it has adequate cybersecurity.
Recently, allegations were brought to our attention that two Authorized Certification Authorities (ACAs) may be failing to meet cybersecurity requirements. ACAs are responsible for issuing digital certificates -- certificates that allow trusted parties to enter the electric grid's cyber business systems. Such certificates are vitally important to establishing trust in the communications between devices and other power companies. Once certificates are compromised, attackers can have a "skeleton key" to circumvent security measures and access a wide variety of systems on the electric grid.
The particular standards at issue were developed by a voluntary industry group called the North American Energy Standards Board (NAESB) and were adopted by reference and put into regulation by the Federal Energy Regulatory Commission (FERC) at 18 CFR 38.2. These industry-developed standards require that the life span of a certification be no more than 20 years. However, the allegations brought to our attention are that two Authorized Certificate Authorities have been issuing digital certificates with a 30-year lifespan -- ten years greater than allowed under FERC regulations. As these certificates form the foundation for the cybersecurity of the electric grid, it is critically important that their security requirements be enforced to ensure protection against malicious actors. If these allegations are true, the violations could undermine part of the security system protecting our grid.
Given the ever-increasing threat of catastrophic cyber attacks to our nation's most critical infrastructure, we request that you conduct an expeditious comprehensive investigation into these allegations and provide our staff with detailed information on your findings and any actions FERC will take in response to such findings. Please contact Matt Grote with the Homeland Security Committee Majority staff at 202-224-2627 or Denise Zheng with the Committee's Minority staff at 202-224-4751 for further information regarding these allegations.
Thank you for your prompt attention to this important manner.
Joseph I. Lieberman Susan M. Collins
Chairman Ranking Member