New law allows the U.S. president to declare a “grid emergency” and have the federal government take over distribution of power.
You’re sitting at home, reading this article on your laptop. Suddenly, the power goes out.
If it were a massive cyberattack on the North American power grid, who would be in charge of getting your lights back on, and getting power restored to businesses, traffic systems and hospitals?
President Obama has now signed a new bill into law that lets him declare a “grid emergency” in case of a cyberattack, physical attack, or natural disaster, like a geomagnetic storm or electromagnetic pulse, according to multiple reports.
“Such a declaration would authorize the energy secretary to issue emergency orders to protect or restore electric infrastructure critical to ‘national security, economic security, public health or safety,’” reported RTO Insider.
Why make this law?
The law aims to “firm the U.S. electric grid against a variety of attacks and outages, and includes plans to develop a strategic reserve of transmission equipment,” reported Utility Dive.
The security measures came from “growing worries about grid vulnerabilities,” the site said, and would create a strategic reserve of equipment like super-sized transformers to be moved quickly into place in case of attack.
“Key energy security provisions in the legislation will provide the Department of Energy with emergency authority to respond to threats to the power grid, will help to protect sensitive information about critical electric infrastructure facilities, and will resolve environmental and grid reliability conflicts,” said Edison Electric Institute President Tom Kuhn, according to Utility Dive.
Will the president declare a grid emergency?
It would require a written declaration by the president and a notification of congress, said Steven Parker, managing partner at Archer Security Group.
“Presumably, that could not be done secretly, and therefore would invoke a media firestorm that would make the Trump envious. Aliens might actually show themselves just to get in on the story,” Parker said.
“Given the requirement for a Presidential declaration and the attendant publicity and hysteria that would be associated with such a thing, it is unlikely this provision will be used much,” he added. “Nevertheless, it is a weighty hammer hanging over the head of industry.”
Who would be in charge?
The president would not be the one trying to get your lights back on in such an emergency. The Department of Energy would take over, running a distribution system that is currently managed by the states.
“This new law shifts that to the Feds under certain circumstances,” said Patrick C. Miller, also of Archer Security Group. “State vs. Fed issue, one that’s been a bloody bar fight for many years.”
Miller said the “grid emergency” would allow the federal government a toehold into the distribution space, a controversial step.
He said some utilities are concerned that if the federal government expands its reach into distribution, including during non-emergencies, the quality of service for customers could go down, customer rates could go up, and states could eventually lose control over systems.
More to do
Cybersecurity experts said there is more work to be done in protecting the power grid.
“It’s really great to see more focus from the national government into trying to help with national infrastructure protection,” said Robert M. Lee, Certified Instructor at SANS Institute. “However, part of my concern is a lot of the narratives we are discussing regarding threats comes from limited case studies or fictional novels.”
Lee said there needs to be more focus on sharing information as well.
“These efforts shouldn’t stop and wait, but we as an ICS (industrial control systems) industry need to be much more open in terms of finding incidents, sharing them, and using case-studies to drive a better discussion on both the threats and what is needed to counter them,” he said.
“This requires a combination of cultural change as well as technical skill increases in the areas of network security monitoring and incident response training,” added Lee.