Energy infrastructure security requires continuous industry-government collaboration

WASHINGTON – The National Association of Regulatory Utility Commissioners (NARUC) Committee on Critical Infrastructure received an update Sunday from industry partners in energy infrastructure security at NARUC’s 2019 Winter Policy Summit here.

Representatives from the U.S. Department of Energy (DOE), the Federal Energy Regulatory Commission (FERC), the Electric Power Research Institute (EPRI) and the Edison Electric Institute (EEI) briefed the committee on their organization’s recent work related to protecting energy infrastructure from physical and cyber threats.

The energy sector is one of 16 critical infrastructure sectors, as designated by Presidential Policy Directive 21 (PPD-21): Critical Infrastructure Security and Resilience.

“It has been — this partnership between the electricity subsector and the government — has been looked at as best in class among the 16 critical infrastructure sectors,” Scott Aaronson, vice president of security and preparedness at EEI, said.

Kate Marks of the Department of Energy gave the committee an overview of the Office of Cybersecurity, Energy Security and Emergency Response (CESER) within DOE, which U.S. Secretary of Energy Rick Perry established in February 2018.

“CESER was stood up to ensure that DOE was working with industry and government to secure U.S. energy infrastructure against all hazards, reduce the risks of and impacts from cyber events and other disruptive events and assist with restoration activities,” Marks said.

Marks noted that DOE is the sector-specific agency for energy as well as for cybersecurity in the energy sector. She also noted that DOE leads the Energy Government Coordinating Council (EGCC), which engages with the energy industry through the electricity subsector coordinating council (ESCC) and Oil and Natural Gas Sector Coordinating Council (ONG SCC).

CESER has set three priorities for its work this year, Marks explained. These priorities include improving understanding of risks and how to mitigate them, clarifying industry and government roles in cybersecurity and building capacity across industry and government.

Information sharing, Marks said, is an important part of the office’s efforts. DOE shares threat information through conference calls, reports, and quarterly threat briefings. It shares updates through ISERnet, a secure website managed by the Infrastructure Security and Energy Restoration (ISER) Division of DOE’s Office of Electricity Delivery and Energy Reliability, with points of each contact identified in each state through the Energy, Emergency and Assurance Coordinators (EEAC) list.

Marks offered as an example an incident in December in which the administration announced that a group of cyber actors known as APT10 is running a cyber-enabled theft campaign. DOE, she said, organized two conference calls — one with industry and state regulators — to share information about the threat.

“So, while seemingly a small act to just stand up two conference calls, we really think this helps to demonstrate CESER’s commitment that providing energy information at the same to both industries and states with actionable information will allow us to improve coordination across the industry…” Marks said.

DOE is also developing tools such as the cybersecurity capability maturity model (C2M2), which helps states evaluate and improve their cybersecurity abilities. In addition, the department is creating workshops and training for utility planners, state officials, emergency managers, and others, along with other initiatives.

The committee also heard from David Andrejcak, deputy director of the Office of Energy Infrastructure Security (OEIS) at FERC. OEIS, he said, provides “assistance, expertise, and advice to other federal and state agencies, jurisdictional utilities and congress” on threats.

Andrejchak said that FERC and DOE will be hosting a technical conference on Security Investments for Energy Infrastructure in March to discuss physical and cyber practices to protect energy infrastructure as well as how government can provide incentives and cost recovery.

Aaronson, who serves as secretary for the ESCC in addition to his role at EEI, noted that the ESCC, the CEO-led group that serves as the principal liaison between leadership in the federal government and the electric power sector, is working to build out a program management approach.

“One of the things that comes with CEO leadership is ‘good is never good enough,’ and so while we are extraordinarily proud of the work we have done to build out this council the way that we have, we have a drive to be better, to do more, and one of the things that we are doing as an ESCC is to build out a program management approach,” Aaronson said.

EEI, he noted, is also working on an initiative to help energy companies create a culture of security and make it a more integral part of their operations.

Cybersecurity is an increasingly important area of focus for the energy industry. EEI President Tom Kuhn also highlighted the importance of partnerships between industry and government in securing the energy grid.

“EEI and our member companies constantly are working to improve grid security, reliability, and resiliency, and we will continue to strengthen cyber and physical defenses and to elevate preparedness,” Kuhn said. “Our strong industry-government partnership, coordinated through the ESCC, will continue to be key to accomplishing our shared goal of protecting the energy grid against all threats.”