The Department of Energy’s (DOE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER) has three new research programs that are designed to safeguard and protect the U.S. energy system from potential cyber and physical hazards. This comes as the U.S. electricity grid’s distribution systems, which are the parts of the grid that actually carry power to consumers, have become more vulnerable to cyberattacks.
The threats have come as there has been greater introduction and reliance on monitoring and control technologies.
CESER’s portfolio is meant to better protect the energy supply chain from security vulnerabilities including those that are part of the critical infrastructure. This includes protecting them from such physical threats as electromagnetic and geomagnetic interference, but also ensuing that there is an adequate pipeline for talent to meet the demands of next-generation cybersecurity.
“Our energy system faces unprecedented threat levels from hackers, foreign actors, and natural catastrophes supercharged by climate change — which is why enhancing security is a priority for this administration,” said Secretary of Energy Jennifer M. Granholm, T&D World reported.
“What’s more, President Biden’s clean energy goals all depend on resilient electrical infrastructure,” added Granholm. “These new programs will help put us a step ahead of all manner of threats so we can provide safe, reliable power to American households.”
However, even as the DoE is working on the energy sector portion of the national cybersecurity strategy, the Government Accountability Office (GAO) has warned that the agency is too focused on risks facing the grid’s generation and transmission systems. GAO has recommended that the DoE more fully address risks to the distribution systems. The DoE has already agreed with the assessment.
“Securing U.S. critical infrastructure, particularly in the energy sector, is one our most important and complex national security challenges,” explained Patricia Hoffman, CESER acting assistant secretary. “Our vision with these programs is to bring together key partners — from industry to the states to the universities — with the expertise and inventiveness needed to enhance energy sector resilience.”
The Threat Vector
The seriousness of DoE infrastructure to a cyber attack has largely been overshadowed by other threats including those to the private sector, including health care and banking. However, in the case of the electrical grid an attack could quite literally bring the country to a standstill.
“What’s most scary about the energy sector is that we haven’t really had a major issue – at least, not cyber-related – and this is scary since we don’t know how bad it will be once it happens,” said Aviram Jenik, CEO and Co-Founder at Beyond Security.
“It’s like a tension build up in tectonic plates that have not yet been released via earthquake; when it finally happens it can be a really big one,” Jenik told ClearanceJobs.
There are a number of threats that the DoE now faces.
“Things keep piling up: ransomware is becoming more frequent, and more profitable for attackers; critical infrastructure networks are less and less disconnected ‘IT islands’ and more a part of the Internet which increases access; and the number of vulnerabilities just increases, making it harder and harder to manage IT and OT assets,” added Jenik.
This is on top of the damage that has come from natural disasters, which the DoE must also address.
“On the potential damage side, just these last 15 months we got to see what damage to a few local sites can do to the electric grid in two of the biggest US states: California and Texas,” We have very little redundancy built-in and many single-point-of-failures. This means that the stakes are high.”
The significant danger is that while it would be difficult for a non-peer adversary to do significant physical damage to the United States in a traditional conflict, cyber has leveled the playing field. A rogue state could strike hard and fast at our nation’s infrastructure and do considerable harm in a way that bombs and missiles could never manage.
“The energy sector is a tempting threat,” warned Purandar Das, CEO and co-founder of data security firm Sotero. “As strategy has shifted to include cyber warfare, both as a strategy and a weapon, sector such as the hospitals, financial institutions and energy have come into focus.:
These are sectors or institutions that rely heavily on interconnectivity and serve as backbones for the nation, added Das.
“The energy sector is also most completely dependent on the grid for both delivery and transport. In many ways it is a technological marvel,” he told ClearanceJobs. “In other ways the security may not be keeping up with the cyber weapons that nation state attackers have developed. The ability or opportunity to cripple large sectors of the country by attacking a single target, whose security is perceived to be weak, is what makes the grid so appealing. And energy powers many other services and industries that are impacted. The Texas power outages, although not a deliberate attack, illustrate the wide ranging impact of grid outages.”
The failures of the power grid in Texas only highlights why it would be such a tempting target. This is especially worrisome, given the changing geopolitics.
“The U.S. is entering a new Cold War phase with at least two very sophisticated adversaries: Iran and China and possibly also with Russia and North Korea,” said Jenik. “The latter two countries have demonstrated what a nation-level cyber research can produce: Russia and North Korea are directly responsible to countless of successful security attacks on all levels; North Korea’s economy is almost dependant on ransomware revenue and Russia was probably behind the Solarwinds attack, the most severe deliberate supply chain attack in history.”
These potential adversaries may see the energy sector as a strategic critical infrastructure target and could be spending billions of dollars in research to develop the means to conduct such an attack.
“Sophisticated adversaries, lots of potential threats and high table stakes make the job of an energy sector CISO (chief information security officer) unimaginably scary,” added Jenick. “With that said, the U.S. energy sector has a history of innovation and is far from being complacent: this positions it to being able to cope with those challenges, as big as they may look to us right now.”