Cyber risks loom for energy sector

Cyberattacks on energy critical infrastructure are the leading threat to the sector, highlighting the need for continued public/private partnerships.

Shutterstock image (by fotogestoeber): virus infection spreading out in a network.

The potentially catastrophic cyber threat looming over the U.S. critical infrastructure is potentially worse than a busy hurricane season according to a key Department of Energy infrastructure security official.

"The most worrisome threat we face in the energy sector is cyber," said L. Devon Streit, deputy secretary, infrastructure security and energy restoration at the agency's Office of Electricity Delivery and Energy Reliability.

In remarks at an Oct. 4 Intelligence and National Security Alliance (INSA) panel on cybersecurity and infrastructure, Streit said that this risk assessment will be backed up by a forthcoming Energy Department report. The report, in its final stages of approval at the agency, compares the relative dangers and impacts of hurricanes and natural disasters against the dangers and impacts of cyberattacks.

"Cyber is at the top of the list," she said.

The conclusion that cyber threats are mounting against energy plants and any of the mostly privately owned U.S. critical infrastructure isn't a surprise, and alarm bells have been ringing.

In August, the White House National Infrastructure Advisory Council advisory group recommended the U.S. establish separate communications networks to support critical systems and take steps to rapidly declassify cybersecurity threat information so that front-line infrastructure operators can use it to defend against attacks.

"There is a narrow and fleeting window of opportunity before a watershed, 9/11-level cyberattack to organize effectively and take bold action," the report stated.

Other experts on the INSA panel -- Cal Bowman, deputy director of the Maryland Governor's Office of Homeland Security, and Isaac Janak, cyber security program manager for Virginia -- shared Streit's urgency.

Bowman and Janak noted that states can have diverse approaches to help protect against critical infrastructure cyber threats.

Maryland, said Bowman, like many states is developing ways to address the cross-cutting issue of cybersecurity at its agencies and in the state's critical infrastructure providers. Virginia, he said, has developed an extensive cyber capability through the state's National Guard operations, which developed the Guard's first "cyber brigade" that monitors its networks.

All panel participants noted that protecting critical infrastructure at the federal and state level is a complex job that depends not only on the interplay between state and federal officials, but on private industry.

Information sharing among the public and private sectors, they said is critical to the effort.

The Department of Energy, said Streit, has been working on specific programs to do that, including the Cybersecurity Risk Information Sharing Program and the Cybersecurity for the Operational Technology  Environment. A pilot is also underway that will set a path for two-way data sharing and analysis within the complex operational technology environment, an area where energy utilities currently don't have mature tools for threat detection. 

The pilot looks to better define how threat data from OT networks is set up, from determining what to monitor, how to collect and process data to how to share sensitive data while protecting privacy.  DOE said the results from pilot will inform development of a repeatable, standard approach that the energy industry can use for real-time operational threat data sharing and analysis.