The clean energy transition in the U.S. is creating a grid that is increasingly distributed, increasingly digital and, therefore, increasingly vulnerable to cyberattacks.
But, according to a new report from the Atlantic Council, even as the war in Ukraine has raised concerns about Russia deploying a range of cyber disruptions to energy systems in the U.S. and Europe, “the public and private sectors lack a unified strategic framework to secure energy infrastructure against cyber threats.”
“Existing authorities intended to clarify responsibilities for cybersecurity and assign roles to the Department of Homeland Security, the Department of Energy and other agencies are ambiguous in practice,” the report says. “Ambiguities and gaps in jurisdiction lead to weaker cybersecurity practices, wasted effort by government, confusion for the private sector and missed opportunities for timely information sharing that would strengthen security.”
At a launch event for the report on Tuesday, former Homeland Security Secretary Michael Chertoff said the immediate need is to bring “all the tools in the toolbox together in order to make sure we have both public and private coordination and strategy in terms of protecting our infrastructure.”
Security is not “just protecting your endpoints,” Chertoff said. “It involves the way you structure your network, how you build resilience, how you respond to attacks, how you warn of attacks and how you exercise and train people.”
Chertoff, who led DHS under President George W. Bush, and retired Army Gen. Wesley Clark were co-chairs of the Atlantic Council task force that produced the report, and they opened the launch event with a fireside chat-style conversation.
Entitled, “Securing the Energy Transition Against Cyber Threats,” the report outlines a broad set of solutions rooted in a collaborative approach to the roles and responsibilities the public and private sectors each must take on to keep the country’s rapidly transforming grid secure. On the federal side, for example, the report says a strategic realignment is needed between FERC, DHS and DOE, the three federal agencies tasked with different aspects of energy system security.
While FERC and NERC set reliability standards for the bulk power system, only 10 to 20% of the U.S. electricity system falls under their jurisdiction, the report says. Distribution systems are not covered, which means the U.S. has “no single central authority for cybersecurity preparedness,” the report says, citing a 2016 report from the Massachusetts Institute of Technology.
“The only way we’re going to fix this really is to stay on top of it,” said Clark, who served as NATO Supreme Allied Commander for Europe under President Bill Clinton. “Because not only do you have to have public attention, which the Ukraine war has helped us to develop, but what you’re bringing attention to is constantly evolving underneath as new technology emerges, new business investments are made and new threat attack vectors are developed.”
Looking to the challenges ahead, Chertoff said, “Much of the regulatory and security architecture built in the U.S. ― and frankly including NATO ― over the last few years was built episodically. The pieces don’t necessarily fit together. There’s overlap; there’s duplication; there’s even inconsistency.
“It’s really time to sit down and map out what is our strategic architecture,” he said. “What are the standards we should enforce and promote? And what are the training and planning exercises we have to engage in so we can respond quickly?”
The report’s other recommendations for government include:
- updating federal policy directives to “crystallize” the role of DHS’ Cybersecurity and Infrastructure Security Agency as “leader of the national unity effort for critical infrastructure protection”;
- realigning “the jurisdictional bounds of Senate and House committees to minimize areas of overlapping oversight” resulting from the multiple committees focused on different aspects of cybersecurity; and
- establishing a cyber bank or low-interest cyber fund to “help qualifying companies … obtain financing at low rates ― which could also include loan forgiveness provisions tied to metrics.”
No More ‘Silver Bullets’
On the business side, the report calls for urgent “improvements in how the private sector secures its critical technologies and works with the public sector to respond to the most accurate and timely threat information.”
Speaking on a panel at the launch event, former FERC Commissioner Neil Chatterjee said, “The landscape of 21st-century warfare has evolved to such a point that now private sector companies find themselves on the frontline.” A cyberattack on critical energy infrastructure may “have the same national security, economic security impact as a military-style attack,” said Chatterjee, who is now a senior adviser at law firm Hogan Lovells.
While voluntary standards ― like ISA/IEC 62443 ― provide a good baseline for corporate efforts to ensure supply chain cybersecurity, the lack of consistent, cross-industry standards leaves open potential “attack pathways,” particularly with operational technology, the report says.
“Unable to rely on a known standard or a regulatory body, each organization must expend effort assessing its own supply chain or accept increased risk,” the report says. “Unfortunately, the energy system in the United States has never been subject to a system wherein OT products connected to the grid must meet an enforceable set of standards beyond the most rudimentary and basic principles of cybersecurity.”
Leo Simonovich, global head of industrial cyber and digital security at Siemens Energy, agreed that “many utilities are struggling to get their hands around the issue of industrial cyber operational technologies. … But to better understand risk, you have to be able to detect, to understand your exposure, and yet many utilities today are operating blind. They don’t have the capabilities to be able to adopt many of these technologies.”
Getting advanced security systems to small and medium-sized utilities ― such as municipals and cooperatives ― should be a particular priority, Chertoff said. They are an integral part of the energy ecosystem, he said, but “they don’t have the knowledge or the economic ability to raise their level of security.”
Megan Samford, chief product security officer with Schneider Electric, pitched hard for 62443 as a possible solution to this economic and technical divide. The standard can “tell you what needs to be done at every level by the different parties invested, and it can show you over time how you could move” from very basic to more sophisticated levels of cybersecurity.
The industry needs to stop chasing “silver bullets,” she said, and instead “draw a line in the sand and … say, ‘We’re going to depend on implementation of a standard, and we’re going to measure performance against the compliance of that standard.’”
But neither industry nor government can ensure system cybersecurity alone, nor should they be expected to, Clark said. Given the nature of the energy industry and the often slow pace of federal and state regulation, change is likely to be incremental, he said.
“If you’re going to put in higher standards both for IT and OT, you’re going to have to resource it,” he said. “And this means the federal government is going to have a greater responsibility to help the widely distributed participants in the power sector fund what they need to keep the country secure.”
Moving at the Speed of Attackers
On a more granular level, Simonovich said that utilities need to define “ownership of operational technology,” which is often split between “the folks who run the plants and the IT security teams.”
“One of the best things we can do is encourage defining a unified operating model between those two functions within organizations and then … develop roadmaps that drive change, not just in creating better hygiene, but also in creating a more innovative approach to driving adoption of technology,” he said.
State regulators and policymakers also have a critical role to play in ensuring cybersecurity is “embedded” in the policies and projects they advance, said Adrienne Lotto Walker, chief risk and resilience officer for the New York Power Authority.
“You see a lot of [requests for proposals] getting issued out of states and … a lot of policies being made at the state level that are focused on decentralizing the grid, clean energy, but they tend to be devoid of embedding cybersecurity,” Walker said. “The RFP will literally say nothing about how it’s going to be connected, what the cyber architecture will look like.”
Another major challenge is improving communication and critical information sharing on cyber threats or attacks between business and government, the report says.
“Information and threat intelligence must move at the speed of attackers,” the report says. “Unfortunately, this [information] sharing is often bogged down by a complex intragovernmental system riddled with duplicative actors and processes making it difficult, costly and inefficient for the private sector to cooperate with their government counterparts.”
Liability protection is one facet of the problem. Companies may be hesitant to share information with federal agencies, fearing “their own data might be used against them by regulators or law enforcement officials should an event occur,” the report says.
A 2002 law gives some protection to companies sharing information with DHS, but a 2015 law also gave DOE and FERC the ability to provide liability protection to energy companies sharing information with them. The government should consolidate or reconcile the protections that the different agencies can provide in a common framework, the report says.
“The purpose of information in my mind should never be information sharing for information sharing,” Samford said. “Sharing information is needed to give decision-makers maneuver room … to adjust plans; make calls; to shore up response plans,” she said. “If the war is being brought to the private sector, then there has to be a consistent framework that is used for the private sector to interact with the government.”