Our nation’s electrical grid, which is a key component of the critical infrastructure, is better than much of the world, but as recent outages following winter storms have shown, it could use a little “TLC.” Most of today’s grid actually was built in the 1950s and 1960s and was expected to have a 50-year life expectancy. As a result, across much of the country, the grid is living is on borrowed time.
According to a U.S. Energy Administration report from 2016, the average utility customer had 1.3 power interruptions per year, and a total blackout time averaging four hours. Much of the loss of power was nature or accidents, and updating that critical infrastructure is crucial to ensuring that rolling blackouts don’t become a norm.
Cybersecurity and the Electrical Grid
However, there is also the issue of securing the electrical grid to ensure that it can’t be taken down with the proverbial “flip of a switch” by a bad actor or foreign adversary. By the very virtue of its complexity and size, the U.S. electric grid is vulnerable to physical and cyber attacks.
This week the Department of Energy (DOE) launched an initiative to enhance the cybersecurity of electric utilities’ industrial control systems (ICS), as well as to secure the energy sector supply chain, as one part of the Biden administration’s efforts to safeguard critical infrastructure.
The DOE kicked off a “100-day plan,” which it described as a coordinated effort between the department, the electricity industry, and the Cybersecurity and Infrastructure Security Agency (CISA). The plan calls for swift, aggressive actions to confront cyber threats from adversaries who could seek to compromise the critical systems that are essential to U.S. national and economic security.
“The United States faces a well-documented and increasing cyber threat from malicious actors seeking to disrupt the electricity Americans rely on to power our homes and businesses,” Secretary of Energy Jennifer M. Granholm said in a statement. “It’s up to both government and industry to prevent possible harms—that’s why we’re working together to take these decisive measures so Americans can rely on a resilient, secure, and clean energy system.”
The 100 Day Plan
The DOE announced that over the next 100 days, the department’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) – in partnership with electric utilities – will continue to advance technologies and systems that will provide cyber visibility, detection, and response capabilities for industrial control systems of electric utilities.
The initiative is meant to modernize cybersecurity defenses, which includes encouraging owners and operators to implement measures to enhance the detection, mitigation, and forensic capabilities; and to reach set milestones for the owners and operators to identify and deploy technologies to enable near real time situational awareness and response capabilities in ICS, as well as operational technology (OT) networks.
Additionally, the 100-day plan calls for the reinforcing and enhancing of the cybersecurity posture of critical infrastructure information technology (IT) networks; and for a voluntary industry effort to deploy technologies to increase visibility of threats in ICS and OT systems.
Earlier this month, CESER introduced three new research programs that are designed to safeguard and protect the U.S. energy system from potential cyber and physical hazards.
“The safety and security of the American people depend on the resilience of our nation’s critical infrastructure,” said CISA Director (Acting) Brandon Wales. “This partnership with the Department of Energy to protect the U.S. electric system will prove a valuable pilot as we continue our work to secure industrial control systems across all sectors.”
DOE’s RFI
The DOE also released a new Request For Information (RFI) to seek input from electric utilities, energy companies, academia, research laboratories, government agencies, and other stakeholders to inform future recommendations for supply chain security in U.S. energy systems.
The DOE will evaluate new executive actions from the comments received from the RFI. In addition, the DOE announced that with the release of the RFI, in order to provide a consistent and clear policy environment, it is revoking the “Prohibition Order Securing Critical Defense Facilities.”
Fixing the Infrastructure
One of the biggest hurdles in protecting the electrical grid is that it could be described as a “hodgepodge” of systems, and even networks. With some of the oldest parts dating back decades or longer, there isn’t one platform or network that must be addressed.
“As DOE kicks off its 100-Day Plan to address cybersecurity risks to the U.S. Electric System, we note that Energy is one of 16 sectors but it is a foundational sector due to the dependence of other sectors (Information, Healthcare, Communications) on energy,” warned John Callahan, PhD, chief technology officer at cybersecurity research firm Veridium.
“One of the major problems in all of these sectors is the lack of interoperability between industrial control systems (ICS), operational technologies (OT) and Internet-of-Things (IoT) devices (and networks) in general,” Callahan told ClearanceJobs via an email.
Callahan has suggested a different solution to the problem at hand.
“Today, the FIDO Alliance announced a better way to break through all the stovepipes of ICS/OT/IoT platforms that allows for a unified approach for systems of devices, access control to such systems, and onboarding trusted devices into such systems,” Callahan added.
The FIDO Alliance is a consortium of over 250 companies including Google, Microsoft, Veridium and Intel dedicated to interoperability for critical control solutions, explained Callahan. “The FIDO Device Onboarding (FDO) standard provides an automatic onboarding protocol for devices and permits late binding of device credentials so that one manufacturer’s device may be onboarded across different platforms.”
