Washington — A pair of US senators on Wednesday asked the North American Electric Reliability Corporation what it was doing to protect the electricity grid from cybersecurity threats posed by Russia and China, noting the two countries have the ability to take down a natural gas pipeline or electrical distribution network.
Receive daily email alerts, subscriber notes & personalize your experience.Register Now
Senators Joe Manchin (Democrat-West Virginia) and Angus King (Independent-Maine) are particularly worried about components and software made by Russia's Kaspersky and China's ZTE and Huawei, they told NERC CEO James Robb in a letter.
The Department of Homeland Security has barred products from Kaspersky, a cybersecurity firm, from being used in federal government information systems. DHS cited requirements under Russian law that allow Russian intelligence agencies to request or compel assistance and to intercept communications transiting Russian networks, the letter said.
NERC subsequently alerted its members of the risks posed by Kaspersky products, the senators said. Congress also has effectively banned Huawei and ZTE from federal contracts for telecommunications equipment or services, they said.
"We fear the same risks posed to the country's federal agencies and departments, telecommunications networks and military assets also threaten to impair the reliability of our nation's energy infrastructure," said Manchin and King, both members of the US Senate Committee on Energy and Natural Resources.
The senators noted that the director of national intelligence, Daniel Coats, has said that China has the potential to take out a gas pipeline and Russia has the ability to disrupt an electrical distribution network, and the countries have expanded their cooperation since 2014.
Manchin and King asked NERC about its efforts to protect the bulk power system from supply chain vulnerabilities. They asked whether NERC has tried to determine whether the bulk power system includes any components or software provided by Zaspersky, ZTE or Huawei, whether NERC has issued guidance for mitigating potential risks posed by these products, and what the next steps are for mitigating these risks.
The Federal Energy Regulatory Commission in October signed off on new NERC requirements (RM17-13) aimed at managing supply chain risks, such as the insertion of counterfeit or malicious software, unauthorized production, tampering, theft and poor manufacturing and development practices.
NERC, through its Electricity Information Sharing and Analysis Center, works with government and industry to obtain, analyze and share actionable information to support an effective cyber defense of the bulk power system, said NERC spokeswoman Kimberly Mielcarek.
We look forward to the continued dialogue with senators Manchin and King on how these ongoing activities address the issues raised in their letter," she said.
Public power entities depend on the government to inform them about threats from foreign entities, and the E-ISAC is the conduit for that threat information, said Jack Cashin, director of Policy Analysis & Reliability Standards at the American Public Power Association. The public-private partnership of the Electricity Subsector Coordinating Council also serves as a way to share information between industry and government, he said.
The Russian laws referenced in the senators' letter do not apply to Kaspersky Lab, the company said in a statement. No public evidence of any wrongdoing has been presented by the US government, and the company contends the government's adverse actions against Kaspersky Lab were unconstitutional, the statement said.
"Kaspersky Lab has always abided by the highest ethical business practices and stringent industry standards throughout its history, and has never, nor will ever, engage in cyber offensive activities," the company said.
-- Kate Winston, firstname.lastname@example.org
-- Edited by Richard Rubin, email@example.com