NIST Cybersecurity Standards Encourage Proactivity
Karen Evans, DOE’s assistant secretary for CESER, who also testified at that hearing, highlights the intersectional nature of the office. “We work really closely with the states to make sure that all the resources in the department are shared with the state emergency response teams,” she says.
However, the office’s role is not just to support emergency response. Following the National Institute of Standards and Technology’s Cybersecurity Framework, CESER’s efforts are primarily proactive.
“We’re trying to change the dynamic so we’re more focused on the detect-and-protect aspects,” Evans says; this is considered the surest way of limiting impact and minimizing threats.
However, this is not a simple task when talking about America’s energy grid. “We don’t own the infrastructure. Ninety percent of it is owned by private industry,” Evans notes. As a result, federal agencies must work closely with state-level stakeholders and the private sector.
Information Sharing and Exercises Help Utilities Defend Against Attack
DOE and CESER manage the complex problem of energy infrastructure cybersecurity through two main avenues. Information sharing and analysis centers, or ISACs, established under a 1998 presidential directive, play a critical role in the process, “maximiz(ing) information flow across the private sector critical infrastructures and with government,” according to the National Council of ISACs website.
The Energy ISAC provides updates and bulletins on emerging threats and new standards for compliance, which are disseminated through the Multi-State ISAC to state agencies and private sector organizations.
CESER also engages in regular preparedness exercises, including the North American Electric Reliability Corporation’s Grid-Ex program. NERC, the National Governors Association, energy suppliers and the military all take part in the exercise. Grid-Ex also includes corporate partners (such as AT&T) who provide specialized software solutions to protect energy infrastructure built to comply with the NIST Cybersecurity Framework.
The exercise is designed to probe the grid for vulnerabilities and identify solutions to them. “There are a lot of lessons learned that we take from those exercises,” says Evans.
The West Virginia National Guard Critical Infrastructure Protection Battalion is among the groups that represent the military in Grid-Ex exercises. Maj. William Keber, the battalion’s executive officer, says that the group’s role with respect to DOE and state-level agencies is to “analyze energy sector concerns that impact government facilities and operations.”
The National Guard recognizes the importance of information sharing in protecting the nation’s energy infrastructure from cyberattack, he says, adding, “We realize that professional exchanges of best practices are an effective way to foster relationships between our organization and civilian organizations.”