Capitol Hill discussion about the electric grid is shifting to physical security, leading federal officials and some lawmakers to worry that focus on cybersecurity is waning.
Lawmakers such as Senate Majority Leader Harry Reid, D-Nev., and Senate Intelligence Committee Chairwoman Dianne Feinstein, D-Calif., have given increasing attention to physical grid security following an April 2013 attack at a San Jose, Calif.-area transmission substation by armed gunmen.
The Federal Energy Regulatory Commission responded last week by initiating an effort to craft baseline physical security standards. But some federal officials and lawmakers say the emphasis on physical security is misplaced when the cyber realm presents a more significant and likely threat.
"My concern is that many people have jumped on the reaction train here with regard to the Metcalf [substation near San Jose] incident," FERC Commissioner John Norris wrote last month. "[E]lected officials and [former FERC Chairman Jon Wellinghoff] seem to be calling for significant measures specifically geared toward erecting various physical barriers to our grid infrastructure. I am concerned that such actions are a 20th century solution for a 21st century problem."
House Intelligence Committee Chairman Mike Rogers, R-Mich., said he's trying to get House-passed cybersecurity legislation "off the backburner" in the Senate, noting he's had productive conversations recently with Feinstein and Sen. Saxby Chambliss, R-Ga., the Intelligence Committee's top Republican.
"As one [utility] CEO said, 'There is a chance of a physical threat. But I am getting attacked about every minute of every hour of everyday on the cyber," Rogers told the Washington Examiner. "Just because we can't see it doesn't make it any less dangerous."
Fears on the physical side grew Thursday after a Wall Street Journal article detailed a FERC analysis that said coordinated strikes on nine key substations and a transformer manufacturer could cause coast-to-coast blackouts for as long as 18 months.
Acting FERC Chairwoman Cheryl LaFleur slammed the Journal story, saying, "The publication of sensitive material about the grid crosses the line from transparency to irresponsibility, and gives those who would do us harm a roadmap to achieve malicious designs."
The sputtering of cybersecurity legislation the past several years has sapped momentum. And now it appears lawmakers and electric utilities are looking to score easier, more visceral wins on physical security, some suggested.
"I wouldn't be surprised if we had a momentary deviation into the physical stuff," said Patrick Miller, an electric grid cybersecurity expert and managing partner with the Anfield Group. "But I think any utility that's going to rush out and spend millions and millions more should really look into whether that will move the needle for them."
The concern among experts is that political pressure might compel utilities to spend on physical improvements — and many utilities don't have the finances to invest in physical and cyber protections simultaneously.
Most utilities operate as regulated monopolies in which states award them a dedicated customer base. In exchange, those utilities must get approval from state commissions to raise electricity rates.
At the same time, distributed power generation — such as from rooftop solar installations — is eating at utilities' bottom lines in an unprecedented fashion.
"There's still a lot of confusion [on cybersecurity]. There's struggling with the pressure to improve physical security knowing how much it costs, and their world is changing underneath them," Miller said.
Though Rogers said the committee is looking into the physical issues, he warned that grid cyberthreats are "only going to get worse" as hostile nations train people to attack other countries' systems.
Former CIA Director Michael Hayden weighed in as well at a recent Washington event hosted the Bipartisan Policy Center, saying, "An awful lot of our approach is stupid" on electric grid cybersecurity.
Energy Secretary Ernest Moniz added to those calls last week at a Houston energy conference, saying that "the majority of cyberattacks in the U.S. have involved energy infrastructure."
Adding "smart" devices such as transmission sensors, enhanced monitoring systems and other elements that communicate to the utility through Internet protocol technology would be a better use of resources, experts suggest. That's what the Obama administration is advocating -- it's likely to be a recommendation of a sweeping review of U.S. energy infrastructure due next January.
That does, however, bring another set of complications. As more of the grid operates on Internet-based technology, it opens more of it to cyberattack. Hackers could then control the grid's physical elements from afar.
"The supply chain is difficult to control," Scott Aaronson, senior national security policy director with utility trade group Edison Electric Institute, at the Bipartisan Policy Center event. "Every new technology component is a potential vulnerability."
At the utility level, cybersecurity presents a bit of a culture shock — most executives have minimal literacy on the topic. The utility sector workforce — including within the federal government, which has hosted recruitment "camps" — is also in "desperate, desperate need" for cybersecurity skills, Aaronson said.
The industry also has been slow to adopt best practices, though experts say it's coming along. An executive order issued by President Obama in February 2013 makes it easier for them to share information about potential vulnerabilities without fear of violating privacy laws.
Still, the White House took that step only after legislative efforts collapsed in 2012. And Rogers warned that failing to try again on the legislative front could spell disaster.
"You have al Qaeda out there advertising in their networks for people that have this capability to cause harm," the Michigan Republican said. "We better wake up before they wake us up."