Markey Presses Utilities, Agencies for Details on Reported Russian Hacks

Sen. Edward Markey, D-Mass., is pressing major electric utility companies for details about whether and when their systems have been penetrated by Russian-affiliated hackers, and at the same time is querying several Federal agencies about what they are doing to help utilities recognize and prevent attempts to break into their networks and control systems.

The senator’s queries to industry and government agencies follows reports from the Wall Street Journal last month that Russian government-based hackers to various degrees penetrated the U.S. electric grid through “hundreds” of power companies and third-party vendors.  To what degree hackers achieved network and system penetration has been the subject of some argument since, but Markey said in his Aug. 13 letters that the hackers, working through vulnerabilities in vendor networks, “gained access to the control rooms of U.S. electric utilities, putting them in position to severely disrupt the U.S. power flow.”

In letters to ten large utilities including Southern Company, Exelon, and Entergy Corp., Markey asked: whether those companies were hacked; how their systems were infiltrated; what steps they are taking to prevent further incursions; what steps they are taking to prevent incursions via third-party firmware and software; how they assess whether third-party vendors pose cybersecurity risk; how and whether they have followed cybersecurity recommendations from the North American Electric Reliability Corp.; and whether they believe that the Federal Energy Regulatory Commission’s (FERC) Critical Infrastructure Protection Standards adequately protects against “all known cybersecurity vulnerabilities.”

The senator asked the utilities to respond by Sept. 7.

In separate letters to the Department of Homeland Security, Energy Department, and FERC, Markey asked for staff briefings by Sept. 7 on a range of issues including: the roles they play in creating rules and standards to address cyber vulnerabilities of electric utilities; how they work with other federal agencies to coordinate cybersecurity efforts for electric utilities; steps they take to proactively identify electric grid vulnerabilities; and what more can be done to improve electric grid resiliency “against sophisticated and relentless cybersecurity attacks.”

“From elections to electricity, we know that Russia will continue to launch cyberattacks on our systems,” the senator said in a statement.  “Unless we act now, the United States will continue to remain vulnerable to the 21st century cyberarmies looking to wage war by knocking out America’s electricity grid. We need answers and assurances from stakeholders who operate and oversee the grid that they are doing everything possible to secure our nation’s electrical system against devastating damage from physical or cyber-terrorist attacks.”

Recent