Industry says understanding “sophisticated threats” that the electricity sector faces will be essential to the Biden administration’s plan to secure industrial control systems and is offering to collaborate with the White House, Energy Department and CISA to make their efforts to secure the grid successful.
The Energy Department announced Tuesday that the Office of Cybersecurity, Energy Security and Emergency Response (CESER) is leading the initial electricity-focused effort under a 100-day plan for securing “U.S. critical infrastructure from persistent and sophisticated threats.”
DOE also signaled that it wants to hear from industry on how to proceed with implementation of a Trump executive order on bulk power systems through the release of a new request for information. The White House has removed its 90-day suspension BPS order and revoked a prohibition order that was scheduled to go into effect on Jan. 16 impacting “critical defense facilities.”
“Public-private partnership is paramount to the Administration’s efforts because protecting our Nation’s critical infrastructure is a shared responsibility of government and the owners and operators of that infrastructure,” National Security Council spokeswoman Emily Horne said. “The 100-day plan includes aggressive but achievable milestones and will assist owners and operators as they modernize cybersecurity defenses, including enhancing detection, mitigation, and forensic capabilities.”
Edison Electric Association president Tom Kuhn said, “Given the sophisticated and constantly changing threats posed by adversaries, America’s electric companies remain focused on securing the industrial control systems that operate the North American energy grid. We welcome the new ICS initiative and appreciate that the Biden administration is making cybersecurity for operations a high priority.”
The association president said, “We view cybersecurity as a shared responsibility between industry and government, and EEI and our member companies coordinate closely through the CEO-led Electricity Subsector Coordinating Council (ESCC) to prepare for, and respond to, national-level disasters or threats to critical infrastructure.”
The electricity industry group emphasized how the new initiative is “complementary to other ESCC initiatives already underway, and shows the industry’s willingness to collaborate on new, creative approaches that enhance security.”
EEI said, “As this pilot program evolves, we look forward to working across the industry and with key government agencies to enhance visibility into these critical control systems and to improve situational awareness for emerging threats.”
Marty Edwards, vice president of OT Security at Tenable and former Director of ICS-CERT, said: “It’s encouraging to see DOE and CISA collaborate in securing our most critical infrastructure through this 100-day plan -- initiatives to improve the cybersecurity of our electric grid, water treatment and other critical infrastructure require a complete whole-of-government approach, and this multi-agency collaboration is key in that effort. This plan places a critical focus on near real-time situational awareness, something our electric grid operators have struggled with for too long, even on the modern grid with new IT and OT devices being added every day.”
Edwards said the ICS announcement should be seen as a first step for increasing visibility of threats and vulnerabilities on their networks.
“Securing the nation’s electric grid and critical infrastructure is vital, and while there is more to be done, this 100-day plan from DOE and CISA is a welcome start,” Edwards said.
SCYTHE CEO Bryson Bort said he thinks “the 100-day sprint will be more about establishing specific recommendations with the key question being answered of how do we help the smaller providers? Our resource challenges are funding, technology, and expertise. The reinstatement of EO 13920 clarifies that DOE will not include adversarial nations in the consideration for critical infrastructure technology and security.”
Bort continued: “The 100-day sprint is meant to accomplish two things: 1) establish public trust in our electric grid; 2) create a roadmap for a more robust plan. The first is showing the government is aware of the challenges and is doing something. The longer term benefit which will accrue is increased detection capabilities which will reinforce that trust over the longer term.”
Tobias Whitney, vice president of energy security solutions at Fortress, called the ICS plan and Biden’s initial approach to securing bulk power systems a “net positive.” Whitney said the announcement “gave some insight to industry in terms of what areas of security specifically they are going to focus on.”
Through the RFI, Whitney said, “It appears they are seeking input from various stakeholders around probably one of the most challenging areas of this whole grid security critical infrastructure effort which is the supply chain area. Overall, I thought it was a really good indication of where policymaking and policy ruling is going and giving the opportunity for industry to participate always helps as well.”
Nozomi Networks CEO Edgard Capdevielle said DOE’s plan has “upsides and downsides that should be kept in focus.”
Capdevielle said, “First, it’s reactionary and meant to address past incidents. It’s not forward-thinking or future-proof, and doesn’t address incidents that haven’t been discovered or happened yet. On the upside, the fact we have a plan means the matter is being taken seriously at the highest levels of leadership. Whatever might ultimately prove to be right or wrong with the plan, it can be adjusted and improved upon as we execute. We should view this sprint, like others, as building blocks rather than silver bullets.” -- Sara Friedman (firstname.lastname@example.org)