Electric industry, government work together to enhance grid cybersecurity
As protecting critical infrastructure from cyberattacks has become a national priority, the electric power industry and U.S. government agencies have strengthened their partnership in order to better tackle energy grid cybersecurity.
Just as a coordinated response between industry and government is critical during natural disasters, the same is true for preparing for and responding to cyber and physical threats to the grid.
For years, electric utilities have worked closely with government security experts to share emerging threat data and information on vulnerabilities to thwart cyberattacks that could potentially disrupt energy services, damage equipment and also threaten public safety. And reflecting the need to further cement those partnerships, both the Department of Energy (DOE) and the Department of Homeland Security (DHS) launched new cyber divisions this year that will focus on coordinating efforts between government and the private sector to protect the nation’s critical infrastructure.
“The frequency, scale, and sophistication of cyber threats have increased and attacks can be easier to launch,” Karen Evans, assistant secretary of the Office of Cybersecurity, Energy Security, and Emergency Response (CESER) in the U.S. Department of Energy, testified during a U.S. House Energy and Commerce Committee hearing on Thursday.
Energy cybersecurity and resilience has emerged as a top security challenge, she said, stressing the importance of fostering partnerships with public and private stakeholders.
CESER works closely with federal, state and local governments as well as the private sector to bolster energy infrastructure protection. The office coordinates responses to disruptions to the energy sector, including physical and cyberattacks, natural disasters, and man-made events that impair electricity transmission and delivery, and more.
Acknowledging the need to bolster U.S. cybersecurity capabilities, the Trump Administration released a National Cyber Strategy on Sept. 20. One facet of the strategy focuses on reducing the potential that the most advanced adversaries could cause large-scale disruptions to critical infrastructure.
“Protecting the energy grid is the electric power industry’s top priority, and we commend the Administration for its continued focus on the protection of critical infrastructure,” said Edison Electric Institute (EEI) President Tom Kuhn.
“The release of the National Cyber Strategy is an important next step in our continued industry-government partnership, and through the CEO-led Electricity Subsector Coordinating Council (ESCC) we look forward to working with the Departments of Energy and Homeland Security, and the rest of our government partners to protect the energy grid,” said Kuhn of EEI, which represents all of the nation’s investor-owned electric companies.
The ESCC is the main liaison between the electric industry and the federal government, and aims to coordinate efforts to prepare for or respond to major disasters or threats to critical infrastructure. The ESCC is comprised of the chief executive officers of 22 electric companies and 10 major industry trade associations, representing electric generation, transmission and distribution in the United States and Canada.
Cyberattacks have grown in sophistication as nation-states, such as Russia, seek to exploit any vulnerabilities in U.S. energy delivery systems.
“We’re not talking about amateur hackers, we’re talking about full-time professionals that come to work every day and are paid by our enemy nations to hack into our infrastructure, and that’s their full-time job,” said Duane Highley, president and CEO of the Arkansas Electric Cooperative Corporation (AECC) and Arkansas Electric Cooperatives, Inc. (AECI).
Highley, who serves as a co-chair of the ESCC, told Daily Energy Insider that work to foil cybersecurity threats is “a continual effort on our part.” AECC and other utilities partner with the federal government to help them monitor and recognize threats, as well as anticipate threats that may affect them.
They hold regular threat briefings through a program known as the Cybersecurity Risk Information Sharing Program, or CRISP. Through CRISP, energy sector owners and operators can share cyber threats in almost real-time and analyze the data using classified DOE intelligence. CRISP also delivers cyber alerts directly to companies that have malicious traffic within their IT systems, according to DOE. The voluntary program, managed by the Electricity Information Sharing and Analysis Center (E-ISAC), counts 26 participating utilities that account for approximately 75 percent of U.S. electricity customers, DOE says.
The CRISP program also includes contributions from national labs such as Pacific Northwest and Argonne National Laboratories, which have access to classified information that comes from various intelligence-gathering methods, Highley said, explaining that they may detect patterns through data analysis and can warn utilities about cyber threats.
“They can say, ‘Well, you might want to go turn this particular computer off or reformat it,’ or it may be a particular piece of software…” without having to reveal classified information, Highley said.
Through this process, a large number of threats against utilities have been deterred, he said, including those identified as Russian threats, which were essentially halted as a result of the program.
The electric power industry also works with third-party vendors to strengthen cyber security and has developed a cyber mutual assistance program, in a similar vein to its traditional mutual assistance program utilized during natural disasters.
“You need to protect yourself, but not all protections are going to work against the nation-states that have thousands of workers working on this,” said Nathan Mitchell, senior director of cyber and physical security services at the American Public Power Association (APPA). “So we have incorporated into our program how to ask for help if the adversary gets into their systems and actually creates a problem where they can’t get back online.”
More than 140 entities, including investor-owned natural gas and electric companies, electric cooperatives, public power utilities, Canadian power companies, and Regional Transmission Organizations/Independent System Operators (RTOs/ISOs), are participating in the program, according to several electric power industry trade groups.
“We haven’t had an attack that propagated to a loss of load that was in the United States,” Mitchell added. “But we know that the adversaries are getting better.”
APPA works with 2,000 electric and municipal utilities and has developed cyber resources for its members, including an online self-assessment tool for utilities to test their cybersecurity programs. The goal is to create processes for utilities to use to manage cybersecurity, as well as keeping them up to date on threats.
In 2015, attackers successfully broke through cyber security on three energy distribution companies in Ukraine. It is considered one of the first successful cyber attacks on a national grid, and has become a lesson for utilities and governments across the world.
“It was a successful attack on a power system there, and we’ve learned and heard from our intelligence sources from federal government what the tactics were from those attackers and we’ve learned from those incidents, and we now train our utilities on what that attack was, and how to defend against that,” Mitchell said. “The Department of Homeland Security and the Department of Energy are giving us lists of daily activity on cybersecurity and cyberattacks that are happening throughout the world.”
One of the major challenges facing industry and government is that the threats to the grid are continuously evolving.
“Since the 1880s, we’ve never viewed our homeland grid as a security target. But now, the foreign cybercriminals have brought the war to our homeland soil and utilities, the financial sector, telecommunications, we’re all at the front lines of international warfare now,” Highley said. “We didn’t design our systems with that assumption. We designed our systems with the assumption that most people were honest and weren’t going to try to purposely attack you. So it means a change in our thinking.”
