Nov 13 2019

DOE and States Manage Cybersecurity Risk Together

The first cyberattack on a U.S. energy company shows the importance of federal-state collaboration on preventing threats that can affect millions.

In March, a Utah-based renewable energy company became the target of a first-of-its-kind cyberattack on a U.S. utility, sporadically losing track of its generation sites over a 12-hour period.

The Department of Energy said that the attack “is the first confirmed to have caused ‘interruptions of electrical system operations,’” according to E&E News. It affected sites in three states, a sign of how widespread the effects of a cyber incident can be.

Around the world, other countries have already experienced cyberattacks on utilities. Ukraine has been subject to multiple attacks, resulting in widespread power loss. In 2017, a cyberattack on a petrochemical plant in Saudi Arabia nearly caused a deadly explosion; some of those attackers, state-associated Russian hackers, were flagged probing the defenses of the U.S. energy grid in June.

The increasingly interconnected nature of vital systems means an ever-expanding landscape of threats, and energy infrastructure is emerging as one of the most critical intersections of vulnerability and risk

READ MORE ON STATETECH: For Critical Infrastructure Security and Resilience Month, FedTech and StateTech explore how agencies collaborate via technology to protect infrastructure.

National Guard and DOE Work Together on Cyberattacks

To address this growing threat, the DOE in 2018 formed the Office of Cybersecurity, Energy Security, and Emergency Response (CESER) to serve as a focal point within the department to deal with cybersecurity, energy security and the emergency response function.

In February, the Senate Committee on Energy and Natural Resources held a hearing on cybersecurity efforts in the energy industry. Senators were updated on CESER’s work and heard from state, military and private sector officials who discussed establishing a framework for standards and compliance. 

The West Virginia National Guard Critical Infrastructure Protection Battalion, for example, has assessed cybersecurity infrastructure and trained thousands of employees from the Energy, Defense, Transportation and Homeland Security departments over the past 14 years, and plans to collaborate with the Navy and the Nuclear Regulatory Commission in the future.

“We have already seen the real-world ramifications of cyberattacks on energy infrastructure,” noted committee Chairwoman Sen. Lisa Murkowski, R-Alaska. “We cannot let it happen in the United States.” 

NIST Cybersecurity Standards Encourage Proactivity

Karen Evans, DOE’s assistant secretary for CESER, who also testified at that hearing, highlights the intersectional nature of the office. “We work really closely with the states to make sure that all the resources in the department are shared with the state emergency response teams,” she says. 

However, the office’s role is not just to support emergency response. Following the National Institute of Standards and Technology’s Cybersecurity Framework, CESER’s efforts are primarily proactive.

“We’re trying to change the dynamic so we’re more focused on the detect-and-protect aspects,” Evans says; this is considered the surest way of limiting impact and minimizing threats. 

However, this is not a simple task when talking about America’s energy grid. “We don’t own the infrastructure. Ninety percent of it is owned by private industry,” Evans notes. As a result, federal agencies must work closely with state-level stakeholders and the private sector. 

MORE FROM FEDTECH: Learn more about how CESER operates.

Information Sharing and Exercises Help Utilities Defend Against Attack

DOE and CESER manage the complex problem of energy infrastructure cybersecurity through two main avenues. Information sharing and analysis centers, or ISACs, established under a 1998 presidential directive, play a critical role in the process, “maximiz(ing) information flow across the private sector critical infrastructures and with government,” according to the National Council of ISACs website.

The Energy ISAC provides updates and bulletins on emerging threats and new standards for compliance, which are disseminated through the Multi-State ISAC to state agencies and private sector organizations.

CESER also engages in regular preparedness exercises, including the North American Electric Reliability Corporation’s Grid-Ex program. NERC, the National Governors Association, energy suppliers and the military all take part in the exercise. Grid-Ex also includes corporate partners (such as AT&T) who provide specialized software solutions to protect energy infrastructure built to comply with the NIST Cybersecurity Framework. 

The exercise is designed to probe the grid for vulnerabilities and identify solutions to them. “There are a lot of lessons learned that we take from those exercises,” says Evans. 

The West Virginia National Guard Critical Infrastructure Protection Battalion is among the groups that represent the military in Grid-Ex exercises. Maj. William Keber, the battalion’s executive officer, says that the group’s role with respect to DOE and state-level agencies is to “analyze energy sector concerns that impact government facilities and operations.” 

The National Guard recognizes the importance of information sharing in protecting the nation’s energy infrastructure from cyberattack, he says, adding, “We realize that professional exchanges of best practices are an effective way to foster relationships between our organization and civilian organizations.”

AvigatorPhotographer/Getty Images