U.S. Sen. Edward Markey, D-Mass., wants answers from the U.S. government and power industry on cyberattacks launched by Russia against the U.S. electric industry since 2016.
In letters dated Aug. 13 and addressed to various federal agencies, the North American Electric Reliability Corp., federal power marketing organizations and ten leading electric utilities, Markey inquired about Russian cyberattacks since the 2016 start of a hacking campaign and steps being taken to identify vulnerabilities and protect from future attacks.
The more-than-two-year-long campaign against the U.S. power sector by suspected Russian government-backed hackers snared hundreds of power companies and third-party vendors and gained access to utilities' internet-isolated — or "air-gapped" — control systems through compromised vendors. The U.S. Department of Homeland Security first acknowledged the attacks in a March emergency alert and said the campaign likely still was ongoing as of late July.
"From elections to electricity, we know that Russia will continue to launch cyberattacks on our systems," Markey said in a press release. "Unless we act now, the United States will continue to remain vulnerable to the 21st century cyberarmies looking to wage war by knocking out America's electricity grid."
"We need answers and assurances from stakeholders who operate and oversee the grid that they are doing everything possible to secure our nation's electrical system against devastating damage from physical or cyber-terrorist attacks," according to Markey, who serves as the ranking member of the Subcommittee on East Asia, The Pacific, and International Cybersecurity Policy.
In the inquiries, Markey asked each utility whether it had been a victim of Russian cyberattacks, how its systems were infiltrated and what steps are being taken to prevent future attacks. Reflecting the reality that Russian intelligence agencies are targeting software designers of industrial control systems, Markey also asked what steps are being taken to address "corruption" of third-party firmware and software.
In his letters to the U.S. Departments of Energy and Homeland Security and the Federal Energy Regulatory Commission, Markey requested more information about the role each federal agency plays in identifying, analyzing, responding to and creating new rules and standards to address cyber vulnerabilities of electric utilities. Markey also wanted to know about cross-agency cooperation on cybersecurity for electric utilities, efforts to proactively identify vulnerabilities in the power grid and efforts to engage both electric utilities and "critical third party vendors" to safeguard the power industry.