Cyberattacks have grown at an alarming rate – in frequency, impact, and sophistication. From Black Energy to Ukraine, hackers are ramping up attacks against critical national infrastructure, including the U.S. electric grid. Energy and utility companies are already witnessing some of this phenomenon in the form of an increased number of cybersecurity attacks targeting energy infrastructure. These high-profile incidents have forced the federal government to elevate its focus on cybersecurity threats related to the energy sector. Two recent developments at the U.S. Department of Energy (DOE), however, merit special attention. First, on February 14, 2018, Secretary Rick Perry established the new Office of Cybersecurity, Energy Security, and Emergency Response (CESER), which has been charged with coordinating government and industry efforts to address energy sector threats. In the President’s recently enacted FY 2019 budget, the new office received an appropriated amount of $120 million to fund CESER operations and support the DOE’s expanded cybersecurity initiatives. Second, on August 28, 2018, Karen Evans was confirmed as the Assistant Secretary for CESER by the U.S. Senate.
On September 27, 2018, Ms. Evans appeared in her first congressional hearing before the U.S. House Energy & Commerce Committee to discuss the role of CESER in improving the resilience and reliability of critical energy infrastructure. The hearing comes on the heels of the Trump Administration’s release of a new national cybersecurity strategy intended to improve the defensive postures of federal and private sector networks and systems. Ms. Evans, who previously served as the DOE’s Chief Information Officer (CIO), focused her testimony on how CESER will support the priorities of the Administration by working in close coordination with federal, state, and industry partners to identify vulnerabilities and prepare for national-level incidents that could result in energy disruptions.
Ms. Evans noted that CESER maintains operational responsibility for the Infrastructure Security and Energy Restoration (ISER) and Cybersecurity for Energy Delivery Systems (CEDS) programs. CEDS is responsible for driving key national cybersecurity priorities, such as strengthening energy cyber readiness and developing new cybersecurity technologies. CEDS also manages the Cybersecurity Risk Information Sharing Program (CRISP), an energy sector-specific partnership funded by the DOE and the Electricity Information Sharing and Analysis Center (E-ISAC), which facilitates timely bi-directional sharing of cyber threat information in order to monitor energy sector IT networks. To date, 75 percent of electric utilities participate in CRISP and the Department is working to increase the number of companies enrolled.
Ms. Evans also emphasized the importance of strengthening energy sector cybersecurity preparedness and described several new pilot initiatives, including the Cyber Testing for Resilience of the Industrial Control Systems (CyTRICS) program. Through CyTRICS, the DOE intends to test the critical electrical components found in the systems that control energy infrastructure, and leverage the test data to identify systemic and supply chain risks. The program will operate as a voluntary public-private partnership in which the Department will offer technical and operational assistance to energy owners and operators in an effort to quickly identify and remediate supply chain vulnerabilities.
As news reports of cyber-attacks on vital infrastructure become more prevalent, so do too discussions on how to make our energy infrastructure more resilient. Several key federal agencies, including the DOE in its Multi-Year Plan for Energy Sector Cybersecurity, have been identifying ways to go beyond the minimum thresholds currently in use to bolster the energy sector’s cybersecurity readiness. And more recently, changes to the North American Energy Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability standards have been proposed by the Federal Energy Regulatory Commission (FERC) in an effort to protect utility companies from malicious threats. However, with the establishment of its new cybersecurity office, the DOE will assume a leading role in safeguarding energy infrastructure by factoring cybersecurity resilience into its programs and providing information and resources to aid energy and utility companies in preparing for disruptive events.
Companies should work diligently to stay ahead of the curve by monitoring new regulatory developments in this area, maintaining compliance with applicable cybersecurity standards, and adopting a formal cybersecurity program that will enable them to adapt to rapidly changing technology risks. Make sure that you’re following the cybersecurity guidelines set by NERC by maintaining an inventory of critical cyber systems, implementing a risk-based approach to protect those systems, and developing a comprehensive cybersecurity program that includes procedures for incident detection, response, and reporting. Your cybersecurity program should be reviewed annually and updated to account for changes in business activities and new threat vectors.