From: The Hill/Hillicon Valley
By Amrita Khalid
Few electric utilities are complying with voluntary measures to protect against the Stuxnet virus, according to a survey sent by two lawmakers to 150 firms.
The report found that less than a quarter of investor-owned utilities and less than half of municipal and cooperation-owned utilities followed through with voluntary standards issued by the Federal Energy Regulatory Commission after the Stuxnet worm struck in 2010.
It found that the electric grid is the target of daily cyber attacks, with one utility reporting that it was the target of approximately 10,000 attempted cyber attacks each month. No utilities reported any damage from the attacks.
Rep. Henry Waxman (D-Calif.), who with Rep. Edward Markey (D-Mass.) released the study, called the findings “sobering.”
“The failure of utilities to heed the advice of their own industry-controlled reliability organization raises serious questions about whether the grid will be adequately protected by a voluntary approach to cybersecurity,” said Waxman at a House Energy and Commerce Committee hearing.
President Obama’s cybersecurity order tasked the National Institute of Standards and Technology (NIST) with creating incentives for critical infrastructure to protect itself against cyber attacks.=
While Waxman called Obama’s executive order a “step in the right direction” the lawmaker said there was a need for new legislation that would make protections mandatory.
“A voluntary approach to cybersecurity might make sense for some sectors, but experience shows that it cannot be relied upon to protect the electric grid,” he said.
Several Republicans argued against a mandatory approach, saying mandatory rules could become quickly outdated.
“One of the things we know is that cybersecurity is uniquely ill-suited for federal regulation. Rapid changes in technology guarantee the failure of static, prescriptive approaches,” said Rep. Marsha Blackburn (R-Tenn.).
Committee Chairman Fred Upton (R-MI) voiced skepticism of a “top-down, command-and-control” regulatory approach that would allow the Department of Homeland Security or any other agency to regulate the private sector.
“I believe that the best approach to improve cybersecurity is for existing regulators to work with industry stakeholders, and for robust information sharing between government and stakeholders,” said Upton.
The U.S. government reportedly created Stuxnet in partnership with Israel to target Iranian nuclear facilities, but the worm escaped onto the public Internet.
Leave a Reply