In a report released this week, the Department of Energy found “significant opportunities” for improvement in its handling of the security needs of U.S. defense facilities and the utilities that serve them.
The report, titled “Strengthening the Resilience of Defense Critical Electric Infrastructure,” was produced by DOE’s Electricity Advisory Committee (EAC). It focuses on defense critical electric infrastructure (DCEI), defined in the Federal Power Act as “any electric infrastructure that serves” critical defense facilities (CDFs), themselves defined as critical to the defense of the U.S. and vulnerable to disruption of electric energy provided by an external service. It was based on interviews conducted with utilities that own and operate DCEI, which DOE dubs “responsible utilities” (RUs).
DOE launched its first program of outreach to RUs in 2019 under its Office of Electricity; the initiative was later shifted to the Office of Cybersecurity, Energy Security and Emergency Response (CESER). While the report’s intent was “not to criticize the DCEI program or its initial rollout,” the EAC found several areas where the implementation could be improved.
The first area has to do with the goals of the program — or rather the lack thereof. Many RUs complained about “DOE’s objectives for the DCEI program,” with one interviewee asking, “What are [the Department of Defense] and DOE trying to achieve here? That needs to be clearly articulated so industry can provide recommendations on how best to achieve” the program’s goals.
Others said they “don’t really know what DCEI is,” or complained that while the Fixing America’s Surface Transportation (FAST) Act of 2015 required DOE to identify CDFs and DCEI, it said “nothing beyond that.” This lack of clarity is compounded by the absence of a dedicated team within DOE to engage with industry, coordinate engagement between RUs and multiple DOE offices, and establish greater unity of effort between DOE and DOD. RUs reported feeling “whipsawed” with requests for engagement from both departments.
Questions on Funding and Resilience Targets
Another issue for many RUs is funding, specifically the question of how to pay for resilience improvements requested as part of the DCEI outreach.
This is a complex topic because a project intended to benefit a particular CDF may also benefit ordinary ratepayers in the region, leading some to suggest utilities should recover the cost for such projects through normal means. However, this is not guaranteed: A substation built in a remote location may benefit few or no ratepayers, while one in a crowded urban area may be expensive and have difficultly getting a permit.
In either case, such a project would not be the choice of the utility or the local customers, and requiring ratepayers to foot the bill would arguably be unjust. One RU observed that “the Pentagon never imagines that it could get F-35s for free” and criticized DOE for wanting “additional substations for free,” while another said that DOE and DOD should “find a pot of money to pay for” upgrades necessary for national security.
The challenge of identifying “specific resilience needs for DCEI” is “closely related” to that of funding, the report said, as it plays into the question of which projects to prioritize. The report called for resilience assessment tools, standards and metrics tailored to DCEI and the needs of utilities serving CDFs.
“What criteria should be established to assess progress toward achieving DCEI resilience goals? And are these goals appropriate to apply to DCEI and RUs, versus or in combination with applying them to CDFs for ‘inside the fenceline’ resilience?” the EAC asked. “These and other questions will take years to resolve and will need close coordination with initiatives on supply chain risk management, industrial control systems (ICS) security and other DOE resilience initiatives.”
Better Communication for Fast Response
RUs also suggested that DOE’s practices for sharing threat information with industry could be improved in light of the “harsh reality” that utilities serving defense facilities are likely to be targets in any coordinated action against the U.S. The report’s drafters noted a 2019 study that found “existing information sharing and partnership structures … neither agile enough nor tactical enough to respond to a cyberattack with the necessary speed.”
While the EAC acknowledged that progress has been made since then, it pointed to significant intelligence gaps that still prevent fast, flexible responses to new threats. Among the suggested solutions were:
-
-
- a Critical Infrastructure Command Center: a secure space where senior executives and cybersecurity staff from different sectors can work with government to fight back against cyber threats; and
- a Joint Collaborative Environment: a clearinghouse for sharing cyber threat data “among federal entities and between the U.S. government and the private sector.”
-
Finally, the report said its proposed DCEI team within DOE should lead more conversations on long-term policy changes. It is very possible that both the definition of CDFs and the understanding of their energy needs could change in the future, the report said; if they do, RUs will need to be informed promptly so that they can adapt their practices.
“Key to the success of improving DCEI resilience is establishing a structured, formalized team within DOE for industry engagement on DCEI issues,” the report said. “This would build upon the accomplishments made by DOE to date and serve as a prerequisite for moving forward on all the other proposals identified in this study.”