Energy Updates Assessment Tool for Administration’s 100-Day Cybersecurity Sprint

peterschreiber.media/iStock.com

The update comes as lawmakers jostle for jurisdiction over cybersecurity across multiple critical infrastructure sectors with a slew of bills advancing in both chambers of Congress.

The Energy Department has revamped a tool it developed almost a decade ago—the Cybersecurity Capability Maturity Model—to help companies in the sector manage their cybersecurity risks as part of the Biden administration’s response to recent attacks on critical infrastructure, which included a particular focus on industrial control systems for 100 days.

“The Biden Administration is committed to securing our nation’s critical energy infrastructure from increasingly persistent and sophisticated cyber threats and attacks,” Puesh Kumar, acting principal deputy assistant secretary for Energy’s Office of Cybersecurity, Energy Security, and Emergency Response, said in a press release Wednesday. “Through the release of C2M2 Version 2.0 and other activities under the 100-day ICS Cyber Initiative, we are taking deliberate action to protect against cyber threats and attacks.”

Energy worked with the Commerce Department’s National Institute of Standards and Technology in updating the cybersecurity evaluation tool—first issued in 2012—to consider the current cybersecurity landscape, according to the release

“The updated model reflects inputs from 145 cybersecurity experts representing 77 energy sector organizations,” Energy said. “Updates address new technologies like cloud, mobile, and artificial intelligence, and evolving threats such as ransomware and supply chain risks, and ultimately support companies in strengthening their operational resilience.”

Energy said it is also working with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency on the 100-day initiative. But following a ransomware attack on Colonial Pipeline, some lawmakers with oversight responsibilities for CISA questioned the administration’s decision to designate Energy as the lead agency in the government’s response to the incident.  

“Foundational to the work of this committee must be maximizing the role of CISA,” House Homeland Security Committee Ranking Member John Katko said during a June 9 hearing on the attack. “We must mature the relationship between CISA–as the nation’s lead civilian cybersecurity agency with centralized capacity and tools–and the Sector Risk Management Agencies, who have the sector-specific relationships and expertise. Optimizing, not eroding, these relationships between CISA and the various SRMAs will be critical going forward. Now is not the time to relitigate previous turf battles.”

Katko introduced a bill—the DHS Industrial Control Systems Capabilities Enhancement Act—to codify CISA’s role securing industrial control systems. It passed in the the House Tuesday and a companion measure was introduced Thursday by Senate Homeland Security and Intelligence committee leaders.

The bill was among a number of others passing the House Tuesday, including one from Rep. Elissa Slotkin, D-Mich., that aims to “promote more regular testing and systemic assessments of preparedness and resilience to cyber attacks against critical infrastructure.” 

At the same time, members of the House Energy and Commerce Committee praised House passage of three bills—the Energy Emergency Leadership Act, the Enhancing Grid Security through Public-Private Partnerships Act and the Cyber Sense Act of 2021—that would put the Energy Department in charge of cybersecurity activities for the sector. 

“The Colonial Pipeline ransomware attack was painful proof that bad actors are increasingly focused on exploiting and attacking our nation’s most critical infrastructure,” Committee Chairman Frank Pallone, D-N.J., and Rep. Bobby Rush, D-Ill., leader of the relevant subcommittee, said in a joint statement after the vote. “It’s absolutely crucial that we keep pace with the tools and resources necessary to both stop and mitigate fallout from these cyberattacks, and thankfully, today the House voted to do just that. We are grateful to all the sponsors for their bipartisan work and urge swift consideration in the Senate.”

A massive energy bill that passed with bipartisan support out of the Senate’s Energy and Natural Resources Committee last week contains some of the House Energy and Commerce Committee’s cybersecurity provisions and is tagged for inclusion in a pending bipartisan infrastructure package

On Wednesday, Pallone also celebrated the movement of a number of telecom-focused cybersecurity bills through committee. 

“Today I am proud that the Energy and Commerce Committee came together to pass urgently needed legislation that will promote more secure networks and supply chains, bringing us one step closer to a safer and more secure wireless future,” he said. “Collectively, these bipartisan bills will educate the public, smaller providers, and small businesses on how best to protect their telecommunications networks and supply chains—all while improving the coordination and resources necessary to support them.”

Among that package of bills is one from Reps. Anna Eshoo, D-Calif., and Adam Kinzinger, R-Ill., that would “require the National Telecommunications and Information Administration to examine and report on the cybersecurity of mobile service networks and the vulnerability of these networks and mobile devices to cyberattacks and surveillance conducted by adversaries.” 

Along with others in the package, the bill would significantly expand the cybersecurity responsibilities of NTIA, a Commerce agency. The effort comes after the Federal Communications Commission—under former Chairman Ajit Pai—abandoned some of the agency's work on cybersecurity. The FCC is a regulatory agency under the jurisdiction of the Energy and Commerce Committee, but DHS is considered the sector risk management agency listed for the communications sector.

The bill with the fastest time from introduction to floor vote this week was one with provisions on staffing the office of the National Cyber Director. It passed the Senate Thursday after being introduced the day before with support from Sen. Angus King, I-Maine, co-chair of the congressionally mandated Cyberspace Solarium Commission. 

The commission has identified congressional turf fights as a roadblock to progress on cybersecurity. Creation of the national cyber director position was its chief recommendation for coordinating federal cybersecurity activity.  

"We can't afford to wait until the next big cyber incident before making sure the NCD office is fully operational," Rep. Jim Langevin, D-R.I., co-chair of the Congressional Cybersecurity Caucus and a member of the commission told Nextgov. "Senators Portman and Peters did a great job moving this legislation through the Senate, and I hope to work with Chairwoman [Carolyn Maloney, D-N.Y.] to advance it in the House."

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.