Energy Updates Assessment Tool for Administration’s 100-Day Cybersecurity Sprint

The Energy Department has revamped a tool it developed almost a decade ago—the Cybersecurity Capability Maturity Model—to help companies in the sector manage their cybersecurity risks as part of the Biden administration’s response to recent attacks on critical infrastructure, which included a particular focus on industrial control systems for 100 days.

“The Biden Administration is committed to securing our nation’s critical energy infrastructure from increasingly persistent and sophisticated cyber threats and attacks,” Puesh Kumar, acting principal deputy assistant secretary for Energy’s Office of Cybersecurity, Energy Security, and Emergency Response, said in a press release Wednesday. “Through the release of C2M2 Version 2.0 and other activities under the 100-day ICS Cyber Initiative, we are taking deliberate action to protect against cyber threats and attacks.”

Energy worked with the Commerce Department’s National Institute of Standards and Technology in updating the cybersecurity evaluation tool—first issued in 2012—to consider the current cybersecurity landscape, according to the release. 

“The updated model reflects inputs from 145 cybersecurity experts representing 77 energy sector organizations,” Energy said. “Updates address new technologies like cloud, mobile, and artificial intelligence, and evolving threats such as ransomware and supply chain risks, and ultimately support companies in strengthening their operational resilience.”

Energy said it is also working with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency on the 100-day initiative. But following a ransomware attack on Colonial Pipeline, some lawmakers with oversight responsibilities for CISA questioned the administration’s decision to designate Energy as the lead agency in the government’s response to the incident.  

“Foundational to the work of this committee must be maximizing the role of CISA,” House Homeland Security Committee Ranking Member John Katko said during a June 9 hearing on the attack. “We must mature the relationship between CISA–as the nation’s lead civilian cybersecurity agency with centralized capacity and tools–and the Sector Risk Management Agencies, who have the sector-specific relationships and expertise. Optimizing, not eroding, these relationships between CISA and the various SRMAs will be critical going forward. Now is not the time to relitigate previous turf battles.”

Katko introduced a bill—the DHS Industrial Control Systems Capabilities Enhancement Act—to codify CISA’s role securing industrial control systems. It passed in the the House Tuesday and a companion measure was introduced Thursday by Senate Homeland Security and Intelligence committee leaders.

The bill was among a number of others passing the House Tuesday, including one from Rep. Elissa Slotkin, D-Mich., that aims to “promote more regular testing and systemic assessments of preparedness and resilience to cyber attacks against critical infrastructure.” 

At the same time, members of the House Energy and Commerce Committee praised House passage of three bills—the Energy Emergency Leadership Act, the Enhancing Grid Security through Public-Private Partnerships Act and the Cyber Sense Act of 2021—that would put the Energy Department in charge of cybersecurity activities for the sector. 

“The Colonial Pipeline ransomware attack was painful proof that bad actors are increasingly focused on exploiting and attacking our nation’s most critical infrastructure,” Committee Chairman Frank Pallone, D-N.J., and Rep. Bobby Rush, D-Ill., leader of the relevant subcommittee, said in a joint statement after the vote. “It’s absolutely crucial that we keep pace with the tools and resources necessary to both stop and mitigate fallout from these cyberattacks, and thankfully, today the House voted to do just that. We are grateful to all the sponsors for their bipartisan work and urge swift consideration in the Senate.”

A massive energy bill that passed with bipartisan support out of the Senate’s Energy and Natural Resources Committee last week contains some of the House Energy and Commerce Committee’s cybersecurity provisions and is tagged for inclusion in a pending bipartisan infrastructure package. 

On Wednesday, Pallone also celebrated the movement of a number of telecom-focused cybersecurity bills through committee. 

“Today I am proud that the Energy and Commerce Committee came together to pass urgently needed legislation that will promote more secure networks and supply chains, bringing us one step closer to a safer and more secure wireless future,” he said. “Collectively, these bipartisan bills will educate the public, smaller providers, and small businesses on how best to protect their telecommunications networks and supply chains—all while improving the coordination and resources necessary to support them.”

Among that package of bills is one from Reps. Anna Eshoo, D-Calif., and Adam Kinzinger, R-Ill., that would “require the National Telecommunications and Information Administration to examine and report on the cybersecurity of mobile service networks and the vulnerability of these networks and mobile devices to cyberattacks and surveillance conducted by adversaries.” 

Along with others in the package, the bill would significantly expand the cybersecurity responsibilities of NTIA, a Commerce agency. The effort comes after the Federal Communications Commission—under former Chairman Ajit Pai—abandoned some of the agency's work on cybersecurity. The FCC is a regulatory agency under the jurisdiction of the Energy and Commerce Committee, but DHS is considered the sector risk management agency listed for the communications sector.

The bill with the fastest time from introduction to floor vote this week was one with provisions on staffing the office of the National Cyber Director. It passed the Senate Thursday after being introduced the day before with support from Sen. Angus King, I-Maine, co-chair of the congressionally mandated Cyberspace Solarium Commission. 

The commission has identified congressional turf fights as a roadblock to progress on cybersecurity. Creation of the national cyber director position was its chief recommendation for coordinating federal cybersecurity activity.  

"We can't afford to wait until the next big cyber incident before making sure the NCD office is fully operational," Rep. Jim Langevin, D-R.I., co-chair of the Congressional Cybersecurity Caucus and a member of the commission told Nextgov. "Senators Portman and Peters did a great job moving this legislation through the Senate, and I hope to work with Chairwoman [Carolyn Maloney, D-N.Y.] to advance it in the House."