A widespread long-term outage caused by a cyberattack is “very unlikely,” but other threats are great enough that local governments should prepare for a potential outage of one or two weeks, according to one expert who recently testified before Congress on the subject.

Given the rash of data breaches and ransomware attacks in other sectors, cybersecurity of critical infrastructure has been a hot topic among federal lawmakers, especially after a cyberattack last year in the Ukraine resulted in hundreds of thousands of people being without electricity.

Lou Barletta (R-Pa.), chairman of the House Subcommittee on Economic Development, Public Buildings and Emergency Management, said his goal during the hearing was to give local-government officials guidelines about how long their communities could be without power in the case of a cyberattack.

“The federal government does not have this basic planning scenario for a cyber threat to the power system and there is a huge disparity in what different groups think is a potential scenario for which states and local governments should prepare,” Barletta said during the April 14 hearing, which was webcast

“And the difference would be significant for local governments.  If the power is out for a few days, it can be an inconvenience, but if it is out for several weeks, or a month or more, the local government has to potentially plan for increased public safety, water treatment, sheltering or evacuation, fuel delivery for generators and many other contingencies.”

Federal Emergency Management Agency (FEMA) Administrator Craig Fugate stressed the importance that local governments conduct real-world planning and testing of backup systems. For instance, many critical-infrastructure entities have backup generators to provide power, but they often are not tested beyond what is necessary to pass inspection and are not maintained well enough to provide power for an extended period when it is needed most.

Fugate said most local areas are prepared to operate during a outage of several hours to a couple of days, but many are not prepared for a lengthier outage. In some cases, they do not have adequate refueling plans to keep generators running for an extended period of time, he said.

“I learned this the hard way: A lot of communities do not plan for refueling in a crisis,” Fugate said. “There are certain contractual things you have to have to make sure you get ensured deliveries, and those suppliers may not be local.”

Local governments should not depend heavily on evacuation plans, because “it’s unlikely in a widespread outage that there will be places to go to,” Fugate said.

One issue noted by several lawmakers and panelists is that large transformers are a big investment--$5 million to $10 million apiece—and can take months to build and deliver. With this in mind, creating a stockpile of backup transformers and transporting them where they can be deployed in a relatively short timeframe should be a priority, many hearing participants agreed.

While an electrical outage tends to get the most attention in today’s hyper-connected society, Fugate said that failures in water and wastewater utilities are even more difficult to overcome.

Meanwhile, one difficulty in implementing some of the strategies mentioned during the hearing is funding, because it means precious resources are being used to prepare for an event that may not happen.

“It’s easy to say, ‘This is the fix,’ until you say who’s paying for it,” Fugate said.

Gerry Cauley, president and CEO of the North American Electric Reliability Corporation (NERC), said that the threat of cyberattacks on the power grid is “very real” but said the security efforts taken to protect the U.S. power grid are superior to those practiced in the Ukraine.

“I believe we are well prepared,” Cauley said.