The energy sector faces the “unfortunate reality” that “at least for the next decade, the offensive cyber capabilities of our most capable adversaries are likely to far exceed the United States’ ability to defend key critical infrastructures,” Joseph McClelland, director of the Office of Energy Infrastructure Security at the Federal Energy Regulatory Commission, told Congress.
Cybersecurity standards “are developed in the open, and they’re deliberative, and they’re iterative,” McClelland noted at last week’s House Oversight and Reform Subcommittee on National Security hearing on defending the electric grid against cyber threats. “Our adversaries are capable of reading the standards and adapting those standards even before they’re put into place, which is spoken to by our intelligence community assessments.”
“It’s a matter of information sharing between the agencies and between the industry to make certain that they can address these threats,” he added.
Cybersecurity threats that could degrade or disable electricity infrastructure are made “even more complex and challenging” when dealing with more than 3,000 electric utilities across the United States and standards that need to evolve with threats, said Puesh Kumar, acting principal deputy assistant secretary for the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER).
“What are tools and technologies that we can put on the grid that can detect these threats before they result in impacts? And we need to continue investing in a lot of that R&D,” Kumar said. “When it does happen, just like a Colonial [Pipeline incident], how do we respond, respond swiftly and have the backups necessary to immediately recover from a response?”
Frequently, he noted, states “don’t have the resources to actually make these informed decisions in terms of how much a cybersecurity investment is appropriate.”
The SolarWinds hack also underscored the threat in the supply chain, with critical components, critical manufacturers, and suppliers across the energy sector that could be a weak, vulnerable link. Kumar said his concern is making sure that if “they are impacted, then they cannot actually be the attack vector into these utilities.”
“In terms of what we do right now as we practice the response, so if this were to happen, how do we get either a spare transformer in or another piece of equipment quickly in?” he said. “So that’s something that we are constantly doing with the sector in terms of preparing for that type of incident.”
DOE is designated as the Sector Risk Management Agency for the energy sector and is the coordinating agency for Emergency Support Function 12 under the National Response Framework.
“CISA and FERC are certainly on speed dial, as well as our partners at the state, local territorial, and tribal levels,” Kumar said. “Further, we have a strong relationship with the U.S. energy sector owners and operators. DOE and DHS serve as cochairs of the Electricity Subsector Coordinating Council and the Oil and Natural Gas Subsector Coordinating Council.”
The sector coordinating council structure “allows the government, federal and state, to work closely with the industry to prepare for and respond to national-level disasters or threats to critical infrastructure,” Kumar said. “Collective preparedness and collective response are at the heart of our work. With that in mind, there are five priorities that I’ve set for the CESER office to really ensure that we are targeting our resources on the critical issues that are facing the U.S. energy sector.”
Those are to “increase the visibility of cyber threats targeting industrial control systems of energy companies,” “identify supply chain threats and disclose vulnerabilities in the energy sector, both in their hardware but also the software and the digital supply chain,” “encourage the concept of security by design and ensuring that cybersecurity is just built into the relevant research and development,” “capacity building in the industry and the state, local territorial, and tribal communities” with improvements in information sharing, exercises and workforce development, and ensuring “that when an incident does occur, regardless of hazard, CESER is ready to support the sector and mitigate impacts and ensure the safe and efficient restoration of the nation’s energy infrastructure.”
Eric Goldstein, executive assistant director for cybersecurity at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), told lawmakers that “cyber intrusions targeting organizations across all sectors of the economy reflect that this is now an urgent threat to our national security, economic security, and public health and safety… the energy sector is essential to numerous national critical functions, not only the power itself, but of course its dependencies, water, telecommunications, the ability to move around our communities.”
CISA aims to share timely and actionable information on threats, offer voluntary services to help private-sector partners spot and fix vulnerabilities, provide incident response and threat-hunting assistance should an intrusion occur, provide active detection tools for companies to use voluntarily, and conduct cross-sector analysis “to understand how a cyber intrusion can cascade across sectors and impact national critical functions.”
“But going forward, it’s clear that we have more to do. It is clear that we must act urgently to address this increasing threat to our national security,” Goldstein said.
That includes continuing “to work urgently on a voluntary basis with government and the private sector partners to gain visibility into cybersecurity threats and intrusions across the country,” looking “to more broadly deploy our detection tools,” and continuing “to mature our voluntary partnerships with government and the private sector.”
“We are shortly launching our newly renamed joint cyber defense collaborative, as established in last year’s NDAA, to formalize our work between government and the private sector around mitigating and understanding emerging cyber campaigns affecting our country,” Goldstein added. “And lastly, we must recognize that we are not going to, in the near term, prevent every cybersecurity intrusion, and we must focus on resilience and functional continuity.”
McClelland stressed that “the nature of the national security threats from adversaries intent on attacking our nation’s electric grid significantly differ from reliability vulnerabilities that have caused regional blackouts and reliability failures we have seen in the past.”
“While the NERC Critical Infrastructure Protection, or CIP, reliability standards are the foundation of the commission’s work to address cybersecurity, there are additional measures that can and should be taken to further improve industry’s cybersecurity posture, considering these rapidly evolving threats,” he said, and that’s why FERC established the OEIS to partner with federal agencies, states, and industry to help identify new threats, share information with the private sector, perform voluntary cybersecurity evaluations, and assist with mitigating actions.
OEIS also works with the National Counterintelligence and Security Center at the Office of the Director of National Intelligence to conduct briefings and share threat intelligence with the private sector and states.
“Last month, OEIS assisted the National Guard units participating utilities in the New England states to conduct Cyber Yankee, a simulated cyberattack on system networks. This red-teaming exercise helped the New England utilities and National Guard units to prepare for these threats, including practicing government assistance to the utilities as part of the defense and recovery efforts,” McClelland said. “Exercises such as these are critical to maintaining readiness and ensuring our ability to respond to cybersecurity attacks.”
Goldstein told the committee that “we have an environment today where there are many organizations throughout this country and across sectors of critical infrastructure that have not universally deployed these sort of strong security controls and managed known security weaknesses that we know that our adversaries have the intent and capability to exploit.”
“If all organizations do not urgently focus on understanding not only the vulnerabilities in their networks that exist today, but also on the tactics, techniques, and procedures that we are seeing adversaries, whether nation states or criminal gangs, utilize, and don’t urgently invest in putting in place controls that meet what we see our adversaries doing … we are at urgent risk of a cybersecurity intrusion that could result in degradation of a national critical function, of which there are many,” he warned.