you Chairman Thornberry, Chairman Camp and Members of the Committee.
It is a pleasure to appear before you today to discuss
the implications of Power Blackouts for the Nation’s Cybersecurity
and Critical Infrastructure Protection.
The Information Analysis and Infrastructure Protection Directorate
(IAIP), and specifically my office, Infrastructure Protection,
has been actively involved in the analysis of the cause of the
blackout and the implications of the blackout on security of the
electric grid as a whole. Let me provide you with a summary of
Following the regional power outage in the Northeast
on August 14, 2003, the Department of Homeland Security (DHS)
set up a
Crisis Action Team (CAT) to monitor the situation and to conduct
analysis of other potential events. The blackout was the first
major event of its type that the IAIP team handled and I am pleased
to report that our team simultaneously tackled the issue from
multiple angles. The Infrastructure Coordination Division focused
outage itself and the operational impact on the infrastructures,
the National Cyber Security Division looked into the possibility
that the blackout might have been caused by a cyber attack, and
our Protective Security Division assessed emerging vulnerabilities
caused by the blackout to assess the “what’s next” picture.
Concurrently, Information Analysis (IA) entities analyzed previous
and current intelligence traffic and coordinated with Intelligence
Community and Law Enforcement partners to ascertain if the cause
of the blackout was attributed to a bad actor. Additionally,
the Homeland Security Operations Center was involved in the response
effort, coordinating communications between state and local first
responders, the administration, and other federal agencies. Situational
awareness of the affected area, and the entire nation, was maintained
throughout the event.
DHS coordinated with the sectors affected by the outage, both
updating them on information related to the cause and responding
to requests for information. While no actionable threat information
emerged during the event, it is important to note that the ability
to communicate with the infrastructure sectors was in place to
facilitate the sharing of information.
Our coordination and monitoring activities were not limited to
the energy sector, and included telecommunications, banking/finance,
health services, and transportation.
While the national focus was primarily on the blackout and its
cause, our teams were hard at work assessing the cascading effects
into other sectors. Interdependencies among the sectors were again
demonstrated by this event: seven major petroleum refineries suspended
operations; many chemical manufacturing plants were shut down;
grocery stores lost perishable inventories; hospital emergency
rooms treated an above average number of cases of suspected food
poisoning; air traffic ceased at several major airports; and emergency
services capacity was tested. Websites were shut down, ATMs did
not work in affected areas and the American Stock Exchange did
not operate for a period of time. The effect of the blackout illuminated
what we already knew at the Department: If one infrastructure is
affected, many other infrastructures will likely be impacted. Indeed,
all of the critical infrastructure sectors were affected by this
Understanding vulnerabilities and the interdependencies associated
with cascading events is an area of great importance to the Department,
and we have people focused on the issue to insure that we can anticipate
effects and prioritize our efforts based on the bigger picture,
not just reacting to what is easily and immediately observed.
Preventing a physical or cyber attack on key nodes
of the nation’s
power grid is fundamental to protecting our Homeland. Accordingly,
DHS is working closely with the Department of Energy and other
federal agencies as we identify the factors that caused and contributed
to the blackout, and look for protective measures to prevent
such an outage in the future.
As has been widely reported, the portion of the power grid affected
by the August 14th blackout is made up of a very complex interconnected
network of scores of separate companies that includes hundreds
of power-generation facilities. In addition to physical connections
among the facilities involving the transmission of power, there
are numerous cyber connections among their IT infrastructures and
those of companies that were unaffected. There is a wide range
in age and sophistication of the technologies upon which these
systems depend. In recent years, the process control systems that
facilitate decision making in critical situations have often been
made easier by the use of computer technology. The industry is
in the process of moving forward with efforts to reduce possible
vulnerabilities and improve cyber security. This information provides
a backdrop for why we are investigating the possibility of a cyber
connection to the blackout. There is presently no evidence that
the blackout was caused by any criminal or terrorist cyber attack,
although we continue to coordinate and share information with law
enforcement to support our investigation.
On August 28, I was appointed Co-Chair to the Security
Working Group (SWG) of the U.S. – Canada Power System Outage
Task Force. The SWG, which consists of Federal and State government
representatives from the United States, as well as Canadian representatives,
is focused on determining if a cyber event directly caused or
significantly contributed to the events of August 14. The data
analysis is ongoing and much work remains to be done before we
have a definitive answer.
IAIP was tasked with ensuring that the Secretary and the President
had the complete picture of what was happening, looking for
areas that might be more vulnerable as a result, and coordinating
information flow throughout the sectors and with other federal
agencies. We learned some valuable lessons that have already
driven some internal changes, such as institutionalizing joint
operations within IAIP, and the absolute requirement of maintaining
a forward-looking “what’s next” posture,
not becoming focused exclusively on current events.
I am proud of the way the IAIP team responded to this event and
I am confident that we are developing a solid team that America
can count on in difficult times, whether they be times of heightened
threats, attempted attacks, or blackouts.
While it will be some time before the Task Force determines the
exact causes of the blackout, we know the system is vulnerable
and we maintain a daily watch over what parts of the grid might
be more vulnerable to attack because of system operations. We have
conducted vulnerability assessments at electric power facilities,
we have a protection strategy for key components, and we are working
with industry and federal partners to determine the best way to
implement that strategy.
Progress has been made, but the work is ongoing. I look forward
to providing this committee and Congress with further updates.