Saryu Nayyar | Forbes.com »
As the Biden administration gears up to rebuild America’s infrastructure, the Department of Energy (DOE) recently announced a “100-day plan to address cybersecurity risks to the U.S. electric system.” The sprint is intended to “enhance the cybersecurity of electric utilities’ industrial control systems (ICS) and secure the energy sector supply chain.” According to the announcement, the plan is “a coordinated effort between DOE, the electricity industry, and the Cybersecurity and Infrastructure Security Agency (CISA).”
Coming on the heels of a massive December cyberattack that affected the DOE’s systems, as well as the ransomware attack against the Colonial Pipeline that disrupted the critical flow of refined oil products, the cybersecurity sprint is great news. Anything that is done to enhance the cyberdefenses of our critical infrastructure is welcome.
A 100-day initiative is a great start, but how much can realistically be achieved in so short a time frame?
A Large And Fragmented Electric Industry
The very makeup of the electricity sector presents a challenge. Despite the vitally important role electricity plays in nearly every aspect of our lives, the industry that produces and transmits electricity in this country is very large and fragmented. There are thousands of power generation plants and electric power transmission lines (collectively known as the Bulk Electric System, or BES) all across this country. Some are federally owned, some are owned by local public utilities, and others are investor-owned.
Regardless of company size or ownership status, all organizations that support the BES are required to comply with a set of cybersecurity standards known as the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC-CIP) standards. NERC-CIP defines the reliability requirements for planning, operating and protecting the North American bulk power supply system. It covers everything from identifying and categorizing assets, to implementing physical and digital security controls, to dealing with incidents and recovering from a cyber breach.
As any security officer knows, “compliance” does not guarantee “security.” Even if all companies that are part of the BES are fully compliant with NERC-CIP — and that’s a big “if” — it’s still a good idea to have a group of experts examine the security controls and bring them up to date to be able to counter current threats from a variety of adversaries.
The DOE’s 100-day plan states that “the initiative modernizes cybersecurity defenses and encourages owners and operators to implement measures or technology that enhance their detection, mitigation, and forensic capabilities” and “includes a voluntary industry effort to deploy technologies to increase visibility of threats in ICS and OT systems.” The words “encourages” and “voluntary” are disturbing. It means that companies that are part of the nation’s critical infrastructure can opt out of further securing their cyber assets if they so choose.
Implementing Cybersecurity Takes Time And Money
Getting these companies to strengthen their cybersecurity postures will take time — certainly more than 100 days — and the cost will be great. However, the December attack is providing an incentive to address cybersecurity sooner rather than later. There is certainly a concern that, if hackers did gain access to DOE and energy-related networks, they could destroy or alter data or, worse, take control of operations.
Even a partial shutdown of the power grid could have dire consequences. While not tied to a cyberattack, the big February freeze that devastated the Texas power grid statewide caused damage running into the billions of dollars and led to more than 100 people losing their lives.
With the federal government now focusing on infrastructure improvements that include the national power grid, there may be money forthcoming to address the modernization of the industrial control systems and operational technology. Many facilities still operate on technology that is decades old and without any inherent security capabilities. At the very least, these industrial controls must be isolated behind a secure perimeter to prevent any sort of unauthorized intrusion.
Steps To Improve Cybersecurity In The Electric Industry
With the 100-day initiative, the DOE is seeking energy industry input on securing the nation’s energy systems. As a security vendor looking from the outside in, I have a few suggestions on what can be done.
First, make strong(er) cybersecurity measures mandatory rather than recommended for every entity in the energy supply chain. NERC-CIP provides a good framework, but protections can always be stronger.
Next, minimize the interface points between ICS/OT systems and IT systems and the internet in general. Also, put a security perimeter around those old systems that have no built-in defenses.
Then, assume that every company on the BES is already compromised by a malicious actor and incorporate threat hunting strategies into their cybersecurity routines. Prevention and detection are still essential, but the next step is to actively hunt for anomalous and malicious activity that could be indicative of a breach.
Finally, make it a continuous process to always be updating and improving cybersecurity measures. Attackers are always finding new ways to get at what they want, so defenders also must use the latest techniques and technologies. For many companies, this probably means significantly boosting (and maintaining) the budget dedicated to people, processes and technology.
The entire supply chain of the U.S. electric grid needs strong cybersecurity measures. The 100-day initiative is a good place to start, but a lot of follow-on work will be needed as well.