Electromagnetic Pulse

Is DHS Dropping the Ball on Critical Infrastructure Protection?

 

 

Congress Passed Critical Infrastructure Protection Provisions in 2016

The Critical Infrastructure Protection Act was a bill introduced in Congress in 2013 and 2015 and finally passed in the National Defense Authorization Act for Fiscal Year 2017 (NDAA). Congress said the provisions were designed to “to protect Americans from an electromagnetic pulse (EMP), a threat experts consider one of the most serious risks to our national security.”

DHS Critical Infrastructure ProtectionThere is very little information available about the federal government’s implementation of Critical Infrastructure Protection provisions of the NDAA. There are several reports that the Department of Homeland Security (DHS) is supposed to have filed by now with Congress. I can’t find the reports. It raises questions as to whether the required work is actually being done – and the quality and transparency of any work as well.

On December 23, 2016, the provisions of the Critical Infrastructure Protection Act (CIPA) were passed as section 1913 of the National Defense Authorization Act for Fiscal Year 2017. The NDAA is 970 pages long. (Click here for the relevant 4 pages with the public law provisions of “CIPA.”) The links to the full Act and U.S. Code versions are provided below. (It gets confusing because the government at times likes to cite an Act, and at other times likes to cite to the U.S. Code. – often is does both in the same document. This can make it very hard to follow.)

 

What Has DHS Done on the Critical Infrastructure Protection Provisions?

There has been a great deal of public attention, press articles and increased awareness to the threat of EMP since September of 2017 when it was widely reported that North Korea detonated a hydrogen bomb and threatened the U.S. with an EMP attack. For example Newsweek, CBC News, The Huffington Post, and the Boston Herald, to name only a few, on the EMP threat.

DHS Critical Infrastructure Protection

DHS Advice on Critical Infrastructure Security

What is not at all in the public domain is any information on the federal government’s activities or operations to prepare for an attack on the critical infrastructure. It has been over a year since the critical infrastructure protection provisions were implemented. There are specific timelines for reports and actions in the provisions.

We’ve heard crickets. In fact, the “Energy Sector-Specific Plan” has not been updated since 2015 and makes only 3 cursory references to EMP and GMD events.

These reports required by the NDAA are critical to inform Congress and the public on DHS efforts to protect the United States against threats such as EMP and GMD.

 

What Are the Critical Infrastructure Protection Provisions of Section 1913 of the NDAA?

Here are the main requirements and reports mandated by the section 1913 of the NDAA:

  1. Section 1913(a)(1) adds the terms “EMP” and “GMD” to the definitions section of the Homeland Security Act of 2002 (6 U.S.C. §101 et seq.) [NOTE: This has been done.]
  2. Section 1913(a)(2) adds 6 U.S.C. §121(d)(26)(A) titled: “Information and Analysis and Infrastructure Protection.” This section requires that DHS conduct a to conduct an intelligence-based review and comparison of the risks and consequences of EMP and GMD facing critical infrastructure and submit to Congress within 6 months of  December 23, 2016 a recommended strategy to protect and prepare the critical infrastructure of the homeland against threats of EMP and GMD. This strategy must be updated every 2 years. [NOTE: I have not been able to find this review and strategy. Also, see 5 below.]
  3. Section 1913(a)(3) adds 6 U.S.C. § 195f titled: “EMP and GMD mitigation research and development.” This section requires DHS conduct research and development to mitigate the consequences of threats of EMP and GMD. There are specific requirements about the scope of the research and development. [NOTE: I have not been able to find any information on this.]
  4. Section 1913(a)(4) adds 6 U.S.C. § 321p titled: “National planning and education.” This section requires DHS to include in national planning frameworks the threat of an EMP or GMD event and also to “conduct outreach to educate owners and operators of critical infrastructure, emergency planners, and emergency response providers at all levels of government regarding threats of EMP and GMD.” [NOTE: I have not been able to find any information on this.]
  5. Section 1913(c): “DEADLINE FOR INITIAL RECOMMENDED STRATEGY.—Not later than one year after the date of the enactment of this section, the Secretary of Homeland Security shall submit the recommended strategy required under paragraph (26) of section 201(d) of the Homeland Security Act of 2002 (6 U.S.C. § 121(d)), as added by this section.” [NOTE: I have not been able to find any information on this. Also, see 2 above.]
  6. Section 1913(d): “REPORT.—Not later than 180 days after the date of the enactment of this section, the Secretary of Homeland Security shall submit to Congress a report describing the progress made in, and an estimated date by which the Department of Homeland Security will have completed—
    • including threats of EMP and GMD (as those terms are defined in section 2 of the Homeland Security Act of 2002, as amended by this section) in national planning, as described in section 527 of the Homeland Security Act of 2002, as added by this section;
    • research and development described in section 319 of the Homeland Security Act of 2002, as added by this section;
    • development of the recommended strategy required under paragraph (26) of section 201(d) of the Homeland Security Act of 2002 (6 U.S.C. §121(d)), as added by this section; and
    • beginning to conduct outreach to educate emergency planners and emergency response providers at all levels of government regarding threats of EMP and GMD events.”

[NOTE: I have not been able to find any information on this.]

 

The Initial Deadlines For Reports Have Passed

It looks to me like DHS should have submitted at least two reports to Congress by now, possibly 3. I have not seen them. Specifically:

  • Section 1913(a)(2): Within 6 months of  December 23, 2016 a recommended strategy to protect and prepare the critical infrastructure of the homeland against threats of EMP and GMD should have been submitted to Congress.
  • Section 1913(c): Not later than one year after the date of the enactment of this section, the Secretary of Homeland Security shall submit the recommended strategy required under 6 U.S.C. §121(d)(26)(A) [Seems to be similar to the report mentioned above in PL 14-328 §1913(a)(2).]
  • Section 1913(d): Not later than 180 days after the date of the enactment of this section, DHS was supposed to submit a report to Congress a report describing the progress made in most of the provisions of PL 14-328 §1913.

These reports were supposed to be unclassified (i.e., should be available to the public) and were supposed to be submitted to:

 

Conclusion

If DHS has not done the reports required by section 1913 of the NDAA for Fiscal Year 2017, one would hope that DHS requested and was granted an extension of time by Congress for good cause shown.

If the reports simply have not been done, that would be bad. Really bad. Unless I’m mistaken, isn’t the Department of Homeland Security in charge of homeland security?

 


References:

Public Law version:

U.S. Code version:

For more information from congress:


My Comments to FERC on Grid Cyber Security

 

 

[Click Here for Background Info]

[Click Here for the filed PDF copy: FERC Comment Docket RM18-2-000 (Mabee)]


February 23, 2018

 

Comments submitted in FERC Docket RM18-2-000

Cyber Security Incident Reporting Reliability Standards

 

Dear Chairman McIntyre, Commissioner Chatterjee, Commissioner LaFleur, and Commissioner Powelson, and Commissioner Glick:

 

Background:

I am a private citizen who has taken it upon himself to study the vulnerabilities of the U.S. electric grid to a variety of threats. My research lead me to write a book about how communities can prepare for and survive a long term power outage.[1]  It is a book that never should have had to be written. I’m a regular working American with a regular day-job, but in my spare time I work with several non-profit groups to raise awareness of the existential threats the United States faces vis-à-vis the threats to the electric grid. I continue to write extensively on the subject. It is an occupation I never should have had to have.

On January 13, 2017, the Foundation for Resilient Societies filed a petition for rulemaking[2] with FERC because the electric grid does not have sufficient cyber security protection. Not surprisingly, the electric industry objects and seems to try to assure us that everything is fine.

Threats to the Bulk Power System and Critical Infrastructure:

On March 28, 2017[3] the Senate Committee on Homeland Security and Governmental Affairs reported this about the critical infrastructure:

“The United States depends on its critical infrastructure, particularly the electric power grid, as all critical infrastructure sectors are to some degree dependent on electricity to operate. A successful nuclear electromagnetic pulse (EMP) attack against the United States could cause the death of approximately 90 percent of the American population. Similarly, a geomagnetic disturbance (GMD) could have equally devastating effects on the power grid.” (Page 6.)

And the previous year, the House held a hearing entitled: “Blackout! Are We Prepared to Manage the Aftermath of a Cyberattack or Other Failure Of The Electrical Grid?”[4] In this hearing, the Committee noted that:

“The DHS reports that the energy sector is the target of more than 40 percent of all reported cyberattacks. In 2014, the National Security Agency (NSA) reported that the agency had tracked intrusions into industrial control systems by entities with the technical capability ‘to take down control systems that operate U.S. power grids, water systems and other critical infrastructure’.” (Page vii. Internal citations omitted.)

On February 12, 2013, President Obama[5] noted:

“The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront. The national and economic security of the United States depends on the reliable functioning of the Nation’s critical infrastructure in the face of such threats.”

In 2008, the Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack reported about the bulk power system:

“Electrical power is necessary to support other critical infrastructures, including supply and distribution of water, food, fuel, communications, transport, financial transactions, emergency services, government services, and all other infrastructures supporting the national economy and welfare. Should significant parts of the electrical power infrastructure be lost for any substantial period of time, the Commission believes that the consequences are likely to be catastrophic, and many people may ultimately die for lack of the basic elements necessary to sustain life in dense urban and suburban communities.” (Page vii.)[6]

In fact, there have been over two decades of congressional hearings, federal reports and studies about the various threats to the U.S. electric grid.[7] Of the numerous hearings on threats to the critical infrastructures, below are a select few in which Congress examined the cyber threats to the grid:

There is no debate that a loss of the electric grid for a long period of time, for any reason, would be catastrophic for the United States. Because we cannot support our present human population without the electric grid, the loss of life would be unimaginable. Here are the undisputed facts:

  1. Fact: We know that cyber threats to the U.S. electric grid exist and are increasing.[8]
  2. Fact: We know that the electric grid in the Ukraine was attacked and taken down twice by cyberattacks.[9]
  3. Fact: We know that cyber-attacks have been known to destroy equipment.[10]
  4. Fact: We know that all U.S. critical infrastructures are dependent on the bulk power system.[11]

Therefore, the cyber threat to the bulk power system represents an existential threat to the United States. The federal government – not the electric industry – is responsible for protecting against threats to national security. Therefore, the electric industry’s objections to more stringent regulations are unpersuasive. The bulk power system must, without fail, be protected.

It is critical that the federal government insure that the critical infrastructures are adequately protected against known threats. In this case, the cyber security of the U.S. bulk power system is not a matter of convenience; it is a matter of paramount importance for the federal government.

 

Conclusion:

I urge you to require NERC to promulgate strict cyber security standards and reporting requirements. Thomas Jefferson famously said: “The first duty of government is the protection of life, not its destruction.  Abandon that, and you have abandoned all.”

FERC’s duty here is clear. You must protect life. The threats to the electric grid constitute a national security issue. This is not a matter of a benevolent government being friendly to businesses. This is a matter of national security and the very real threat to millions of Americans’ lives.

 

Respectfully submitted by:

 

Michael Mabee

 

End Notes:

[1] Mabee, Michael. The Civil Defense Book: Emergency Preparedness for a Rural or Suburban Community. ISBN-13: 978-1974320943, first edition published July 4, 2013, second edition published October 17, 2017.

[2] Foundation for Resilient Societies. “Petition for Rulemaking to Require an Enhanced Reliability Standard to Detect, Report, Mitigate, and Remove Malware from the Bulk Power System.”  Filed January 13, 2017. https://www.resilientsocieties.org/uploads/5/4/0/0/54008795/resilient_societies_petition_for_rulemaking_ad17-9.pdf (accessed February 22, 2018).

[3] Senate Report 115-12. Activities of the Committee on Homeland Security and Governmental Affairs. (115th Congress) March 28, 2017. https://www.gpo.gov/fdsys/pkg/CRPT-115srpt12/pdf/CRPT-115srpt12.pdf (accessed February 22, 2018).

[4] House Hearing before the Subcommittee on Economic Development, Public Buildings, and Emergency Management. “Blackout! Are We Prepared to Manage the Aftermath of a Cyberattack or Other Failure Of The Electrical Grid?” (114th Congress) April 14, 2016. https://www.gpo.gov/fdsys/pkg/CHRG-114hhrg99931/pdf/CHRG-114hhrg99931.pdf (accessed February 22, 2018).

[5] Executive Order 13636 Improving Critical Infrastructure Cyber Security. February 12, 2013. https://www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf (accessed February 23, 2018).

[6] Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack. “Critical National Infrastructures.”  2008. https://permanent.access.gpo.gov/LPS101707/A2473-EMP_Commission-7MB.pdf  (accessed February 23, 2018).

[7] See a comprehensive listing of these federal documents here: https://michaelmabee.info/government-documents-emp-and-grid-security/ (accessed February 22, 2018).

[8] RTO Insider. Expert Sees ‘Extreme Uptick’ in Cyber Attacks on Utilities. https://www.rtoinsider.com/naruc-dragos-cybersecurity-scada-86882/ (accessed February 22, 2018).

[9] Wired magazine. ‘Crash Override’: The Malware That Took Down a Power Grid. https://www.wired.com/story/crash-override-malware/ (accessed February 22, 2018).

[10] Wired Magazine. An Unprecedented Look at Stuxnet, The World’s First Digital Weapon. https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/ (accessed February 22, 2018).

[11] Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack. “Critical National Infrastructures.”  2008. https://permanent.access.gpo.gov/LPS101707/A2473-EMP_Commission-7MB.pdf  (accessed February 23, 2018). Page vii.


Click Here for the filed PDF copy: FERC Comment Docket RM18-2-000 (Mabee)


Dr. Peter Vincent Pry Explains Electromagnetic Pulse (EMP)

Dr. Peter Vincent Pry explains the threat of electromagnetic pulse (EMP) and geomagnetic disturbance (GMD) on January 21, 2018 in South Carolina.

 

Dr. Peter Vincent Pry - United States Unprepared for an Electromagnetic Pulse

Dr. Peter Vincent Pry

Read more about the EMP Commission (click here)