According to the U.S. Department of Homeland Security (DHS), 35 percent of all incidents reported to its Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) between 2013 and 2015 were directed to the energy sector. As a direct consequence of the increased vulnerability of the nation’s energy infrastructure, the U.S. Department of Energy (DOE) has begun to play a critical role in supporting cybersecurity and energy security. On May 14, 2018, the DOE officially opened its Office of Cybersecurity, Energy Security, and Emergency Response (CESER) which will support initiatives outlined in a report that Secretary Rick Perry issued in March of 2018. The DOE Multiyear Plan for Energy Sector Cybersecurity outlines the major cybersecurity threats to the energy sector and prescribes a five-year plan to enhance energy sector cybersecurity.
As part of a comprehensive strategy to enhance security and resilience, the Department is focusing its cyber support efforts across three key initiatives: (i) strengthening energy sector cybersecurity preparedness; (ii) facilitating the coordination of national cybersecurity security response activities across the federal government and with the private sector; and (iii) supporting the research, development and demonstration (RD&D) of tools and technologies to enhance the cybersecurity of energy delivery systems. This also includes enhancing a system of sharing threat intelligence with energy sector partners, increasing alignment of cyber-incident preparedness and planning across local, state, and Federal governments, and leveraging the expertise of the National Labs to drive cybersecurity innovation.
Most energy and utility companies now recognize that cybersecurity threats pose the same kind of risk to critical systems and infrastructure as a hurricane or similar natural disaster. The rapidly changing cyber threat and vulnerability landscape, from advanced malware attacks launched by nation-states to disruptive ransomware attacks, demands an integrated, collaborative, risk-based partnership between industry and government. Some utilities have already developed robust resilience strategies, including i) conducting regular drills and sharing of information related to cyber threats with industry and government partners, ii) establishing a corporate incident response team and security professionals devoted to cybersecurity 24 hours a day; and iii) working closely with local, state and national emergency management and law enforcement after cybersecurity incidents.
Other energy companies and utilities may not have the resources to fund aggressive cybersecurity initiatives. Still, all providers need to create at least the minimum level of cybersecurity standards to ensure that electricity availability is guarded. Hopefully, the CESER will provide resources needed for this minimum level of reliability and security while fostering the collaboration and research necessary for enhanced protection from cybersecurity risks.
The Michael Best Privacy and Cybersecurity team possesses strategic risk management capabilities and unique insights into this evolving federal regulatory landscape which can be used to support energy sector cybersecurity. We help clients understand the cybersecurity threats that face their organization and develop strategies to mitigate their risk. We also assist in planning for cyber incidents and effectively responding to data breaches, and counsel on the legal and policy issues that may arise when sharing cyber threat information. Please feel free to reach out to Michael Best’s Energy or Privacy and Cybersecurity attorneys for questions or assistance.