How the Energy Department Can Improve Cybersecurity in the Energy Industry

A note posted at a gas pump indicates the pump is out of premium gasoline at a Costco Warehouse fuel station, Tuesday, May 11, 2021, in Ridgeland, Miss.

A note posted at a gas pump indicates the pump is out of premium gasoline at a Costco Warehouse fuel station, Tuesday, May 11, 2021, in Ridgeland, Miss. Rogelio V. Solis/AP

The Energy Department has an obligation to protect both public and private energy interests on critical infrastructure.

This year has been a pivotal year for malicious cyber actors—particularly those interested in targeting U.S. critical energy infrastructure. In February, a hacker trying to infiltrate a water treatment plant in Florida attempted to adjust the sodium hydroxide levels to alarmingly dangerous levels. Just a few months ago, the ransomware attack on Colonial Pipeline disrupted one of the largest refined gasoline pipelines in the United States for almost a week, and states across the Eastern Seaboard felt the effects. 

The federal government cannot afford to idly sit by and leave U.S. energy infrastructure vulnerable. The Energy Department, as the sector risk management agency for the energy industry, has an obligation to protect both public and private energy interests on critical infrastructure. One of the key ways Energy can fulfil this obligation is by providing incentives for private-sector companies to adopt regulations and best practices, like testing software supply chains, to further protect U.S. critical infrastructure.

Barriers Impeding Progress

There are several barriers currently impeding progress in protecting critical energy infrastructure. First, demand signals for cybersecurity in Energy changes with each administration. As a result, there is little clarity and consistency for private companies in the energy sector. There needs to be a deeper understanding of demand signaling from the government on what is specifically needed for the private sector to comply with government regulations.

Second, updating Federal Energy Regulatory Commission guidelines is an incredibly slow process. FERC regularly issues guidelines for industries to ensure “regulatory certainty” for relevant stakeholders, including government agencies and private companies. Because it takes a significant amount of time for FERC to update these standards, it leads to a long tail of investment, which in turn leads to lags in investment cycles in the private sector. Standards can be rendered obsolete after a single event, which then renders the investment obsolete. This hinders the effectiveness of FERC’s guidelines for energy sector cybersecurity. 

Third, there is a need for broader awareness and understanding of where the authorities are for cyber protections in the energy sector. Politicians on the Hill and analysts in the intelligence community often do not understand where relevant authorities exist within the energy sector to encourage or compel improved security behaviors and the extent to which they are successfully accomplishing these tasks.

Fourth, there is a lack of common understanding between the private sector and the intelligence community regarding intelligence sharing capabilities. Where the intelligence community is focused on national security issues and safety and security of the nation, private sector intelligence teams are often dedicated to support a product or service and tend to emphasize the security of their customers. How these respective processes are tasked, and prioritize collections, can lead to gaps where the intelligence community is unfamiliar with private sector needs, which makes it difficult to anticipate, collect and analyze valuable information collaboratively. This can create a frustrating loop. Further, the intelligence community rarely shares intelligence about related attacks and attackers with victims. This practice limits private and public sector collaboration, and pattern identification. 

New Opportunities  

Despite these barriers, modern priorities, cyber technology and research initiatives promise new opportunities for Energy to incentivize private actors to improve the cybersecurity of critical energy infrastructure. Although administrations over the years have had varying demands for cybersecurity in Energy, continued threats and attacks to the energy grid increase the consensus that energy cybersecurity is a national security priority. In March, the Government Accountability Office’s report, "Electricity Grid Cybersecurity," concluded that energy infrastructure is increasingly at risk from cyberattacks, and Energy must expand its plans to address and mitigate these risks. Both private and public actors recognize the importance of improving energy cybersecurity and are addressing these issues through research, product creation, and information sharing.  

Energy’s Office of Cybersecurity, Energy Security, and Emergence Response recently launched three programs to improve energy cybersecurity. Most notably, the Cyber Testing for Resilient Industrial Control System program (CyTRICS), scans software and firmware in energy sector equipment for cyber supply chain vulnerabilities to proactively address threats. CESER shares discovered vulnerabilities with vendors, manufacturers, and utilities to create mitigation strategies, alert partners and address the cybersecurity issues. This program simultaneously improves national energy security and empowers the private sector to strengthen cybersecurity. Schneider Electric, an energy systems equipment manufacturer, signed a formal agreement to participate in CyTRICS in 2020, signaling others may follow. At a recent event hosted by the Atlantic Council’s Cyber Statecraft initiative, several industry and government leaders lauded CyTRICS’s ability to move the energy industry out of a reactive state and into a strategic framework for “baked-in” cybersecurity and mitigation of future attacks.  

As cyber capabilities embed themselves into the energy sector’s foundation, critical infrastructure expands to include the technology supporting the energy industry. New industry products are being created with security in mind; however, cybersecurity culture has focused on patching existing code, tools, and products rather than paying for improved replacements. The long-term impacts  of paying off hackers, creating patches, and business losses heavily outweigh the cost of investing in new products with “baked-in” security.

Expanding beyond patching to provide secure software, firmware, and products is germane to protecting critical infrastructure. This includes educating direct actors like electricians or IT professionals on basic cybersecurity priorities, concerns, and best practices. An informed body of workers will be able to set systems up securely and identify potential cybersecurity threats. Further integrating the cloud—despite its limits—in a secure fashion is another opportunity for improving cybersecurity and incentivizing the private sector to do the same. The cloud offers new opportunities, including adaptable and cost-effective service, along with new risks to companies of all sizes in the energy sector. 

Effective information sharing and intelligence collection presents a challenge to the energy community. Nearly 80% of modern critical infrastructure is owned by the private sector but remains the government’s responsibility to protect. Despite these challenges, both public and private sector actors agree: protecting energy cybersecurity and resilience is paramount. As the various public and private players navigate the best practices and learn to ask the right questions, collaboration will persist. To fulfill their mission of defending public and private critical energy interests, Energy must incentivize private companies to adopt cybersecurity practices and bolster critical infrastructure security.

Tasha Jhangiani is a research analyst with the U.S. Cyberspace Solarium Commission. In addition to her work with the Commission, she is a Future Digital Security Leaders Fellow with the Institute for Security and Technology. 

Madison Lockett is a graduate student at Georgetown University's Walsh School of Foreign Service.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.