The Energy Department has an obligation to protect both public and private energy interests on critical infrastructure.
This year has been a pivotal year for malicious cyber actors—particularly those interested in targeting U.S. critical energy infrastructure. In February, a hacker trying to infiltrate a water treatment plant in Florida attempted to adjust the sodium hydroxide levels to alarmingly dangerous levels. Just a few months ago, the ransomware attack on Colonial Pipeline disrupted one of the largest refined gasoline pipelines in the United States for almost a week, and states across the Eastern Seaboard felt the effects.
The federal government cannot afford to idly sit by and leave U.S. energy infrastructure vulnerable. The Energy Department, as the sector risk management agency for the energy industry, has an obligation to protect both public and private energy interests on critical infrastructure. One of the key ways Energy can fulfil this obligation is by providing incentives for private-sector companies to adopt regulations and best practices, like testing software supply chains, to further protect U.S. critical infrastructure.
Barriers Impeding Progress
There are several barriers currently impeding progress in protecting critical energy infrastructure. First, demand signals for cybersecurity in Energy changes with each administration. As a result, there is little clarity and consistency for private companies in the energy sector. There needs to be a deeper understanding of demand signaling from the government on what is specifically needed for the private sector to comply with government regulations.
Second, updating Federal Energy Regulatory Commission guidelines is an incredibly slow process. FERC regularly issues guidelines for industries to ensure “regulatory certainty” for relevant stakeholders, including government agencies and private companies. Because it takes a significant amount of time for FERC to update these standards, it leads to a long tail of investment, which in turn leads to lags in investment cycles in the private sector. Standards can be rendered obsolete after a single event, which then renders the investment obsolete. This hinders the effectiveness of FERC’s guidelines for energy sector cybersecurity.
Third, there is a need for broader awareness and understanding of where the authorities are for cyber protections in the energy sector. Politicians on the Hill and analysts in the intelligence community often do not understand where relevant authorities exist within the energy sector to encourage or compel improved security behaviors and the extent to which they are successfully accomplishing these tasks.
Fourth, there is a lack of common understanding between the private sector and the intelligence community regarding intelligence sharing capabilities. Where the intelligence community is focused on national security issues and safety and security of the nation, private sector intelligence teams are often dedicated to support a product or service and tend to emphasize the security of their customers. How these respective processes are tasked, and prioritize collections, can lead to gaps where the intelligence community is unfamiliar with private sector needs, which makes it difficult to anticipate, collect and analyze valuable information collaboratively. This can create a frustrating loop. Further, the intelligence community rarely shares intelligence about related attacks and attackers with victims. This practice limits private and public sector collaboration, and pattern identification.
Despite these barriers, modern priorities, cyber technology and research initiatives promise new opportunities for Energy to incentivize private actors to improve the cybersecurity of critical energy infrastructure. Although administrations over the years have had varying demands for cybersecurity in Energy, continued threats and attacks to the energy grid increase the consensus that energy cybersecurity is a national security priority. In March, the Government Accountability Office’s report, "Electricity Grid Cybersecurity," concluded that energy infrastructure is increasingly at risk from cyberattacks, and Energy must expand its plans to address and mitigate these risks. Both private and public actors recognize the importance of improving energy cybersecurity and are addressing these issues through research, product creation, and information sharing.
Energy’s Office of Cybersecurity, Energy Security, and Emergence Response recently launched three programs to improve energy cybersecurity. Most notably, the Cyber Testing for Resilient Industrial Control System program (CyTRICS), scans software and firmware in energy sector equipment for cyber supply chain vulnerabilities to proactively address threats. CESER shares discovered vulnerabilities with vendors, manufacturers, and utilities to create mitigation strategies, alert partners and address the cybersecurity issues. This program simultaneously improves national energy security and empowers the private sector to strengthen cybersecurity. Schneider Electric, an energy systems equipment manufacturer, signed a formal agreement to participate in CyTRICS in 2020, signaling others may follow. At a recent event hosted by the Atlantic Council’s Cyber Statecraft initiative, several industry and government leaders lauded CyTRICS’s ability to move the energy industry out of a reactive state and into a strategic framework for “baked-in” cybersecurity and mitigation of future attacks.
As cyber capabilities embed themselves into the energy sector’s foundation, critical infrastructure expands to include the technology supporting the energy industry. New industry products are being created with security in mind; however, cybersecurity culture has focused on patching existing code, tools, and products rather than paying for improved replacements. The long-term impacts of paying off hackers, creating patches, and business losses heavily outweigh the cost of investing in new products with “baked-in” security.
Expanding beyond patching to provide secure software, firmware, and products is germane to protecting critical infrastructure. This includes educating direct actors like electricians or IT professionals on basic cybersecurity priorities, concerns, and best practices. An informed body of workers will be able to set systems up securely and identify potential cybersecurity threats. Further integrating the cloud—despite its limits—in a secure fashion is another opportunity for improving cybersecurity and incentivizing the private sector to do the same. The cloud offers new opportunities, including adaptable and cost-effective service, along with new risks to companies of all sizes in the energy sector.
Effective information sharing and intelligence collection presents a challenge to the energy community. Nearly 80% of modern critical infrastructure is owned by the private sector but remains the government’s responsibility to protect. Despite these challenges, both public and private sector actors agree: protecting energy cybersecurity and resilience is paramount. As the various public and private players navigate the best practices and learn to ask the right questions, collaboration will persist. To fulfill their mission of defending public and private critical energy interests, Energy must incentivize private companies to adopt cybersecurity practices and bolster critical infrastructure security.
Tasha Jhangiani is a research analyst with the U.S. Cyberspace Solarium Commission. In addition to her work with the Commission, she is a Future Digital Security Leaders Fellow with the Institute for Security and Technology.
Madison Lockett is a graduate student at Georgetown University's Walsh School of Foreign Service.