Lawmakers broaden scrutiny of cybersecurity across U.S. energy delivery systems
Federal lawmakers on Tuesday expanded their examination of how well the U.S. electric grid is protected against cybersecurity threats to include the efforts of defending the nation’s natural gas pipelines against cyber terror.
“Given the interdependency of natural gas and electricity, it is imperative that these energy delivery systems are adequately protected” against the increasing number of cyberattacks, said U.S. Sen. Lisa Murkowski (R-AK), chairman of the Senate Energy and Natural Resources Committee, which held a hearing on the topic.
Dave McCurdy, president and CEO of the American Gas Association, agreed and said, “It’s critically important that policy discussions around [this] interdependency … address the reliability of both the gas and electric systems in a coordinated manner, yet recognize the differences between the industries.”
One big challenge facing both electric and natural gas utilities is successfully protecting their energy distribution systems from cyberattacks. Cybersecurity partnerships between the federal government and industry operators are helping both move forward, witnesses said.
McCurdy, a former U.S. Democratic congressman from Oklahoma who served as chairman of the House Intelligence Committee, said that technological advances over the last 20 years have made natural gas utilities better able to serve customers via web-based programs and tools, but also made them “an attractive target for increasingly sophisticated cyber terrorists.”
In response, McCurdy said, gas utilities have for several years maintained a valuable pipeline transportation security partnership with the U.S. Department of Homeland Security (DHS), specifically the Transportation Security Administration (TSA)—the regulator for pipeline security—and with the U.S. Department of Energy (DOE). TSA partners instead of regulates, while DOE develops cybersecurity practices, tools and guidelines to address risks and threats and helps identify and solve pipeline security challenges, he said.
“These non-regulatory security partnerships are built on cooperation, mutual trust and the recognition that a top-down cybersecurity regulatory regime would be counterproductive to industry security. Simply put, our adversaries move faster than any regulatory checklist so it’s better to partner on protecting our systems than to rely on static compliance programs,” McCurdy said.
He warned the senators against giving DOE any additional authority over pipeline transportation systems security because there would be program overlap with existing TSA programs. Likewise, shifting this security regime from TSA to DOE would ignore the pipeline expertise and industry knowledge TSA has built over a decade of partnership and require a program rebuild at DOE, he said.
“Reshuffling our government cybersecurity partners will also not make us any safer,” McCurdy said.
Reliable delivery of electricity is also a priority for DOE, testified Patricia Hoffman, acting assistant secretary of the DOE’s Office of Electricity Delivery and Energy Reliability.
It does need to be strengthened and improved and DOE will continue to work with public and private partners to protect against physical and man-made threats, she said.
“It’s critical to be proactive and cultivate what I call an ecosystem of resilience: a network of producers, distributors, regulators, vendors and public partners acting together to enhance our ability to prepare, respond and recover,” said Hoffman, adding that DOE supports industry functions to do this in myriad ways, including by sharing actionable intelligence with energy owners and operators in a timely manner.
“But to support the cyber posture of the nation … we do need better information sharing and use of best practices to raise our security maturity,” Hoffman said. “A shared endeavor requires shared partnerships.”
Biggest gripe: info-sharing
The single most important aspect of cybersecurity policy remains an effective government-private sector partnership based on open information sharing, witnesses said.
Specifically, to better protect these systems, industry needs better cybersecurity information from government partners delivered in real-time; quicker dissemination of classified threat information; and a closer working relationship with not only sector-specific agencies like DOE, but also with the law enforcement and intelligence communities.
The process by which industry leaders receive security clearances also needs to be reformed, McCurdy said. “Despite my existing Department of Defense security clearance, I still haven’t received a DOE security clearance I applied for a year ago,” he added.
Expanding what and how classified information is shared will be a cybersecurity challenge going forward, testified Gerry Cauley, president and CEO of the North American Electric Reliability Corporation, known as NERC, the Atlanta-based nonprofit institution that regulates and oversees the reliability and security of the North American electrical grids.
NERC already has in place its Electricity Information Sharing and Analysis Center (E-ISAC), which serves as the information sharing conduit between the electricity industry and government for cyber and physical security threats, especially during rapidly evolving security events.
The E-ISAC also has partnered with DOE on the Cybersecurity Risk Information Sharing Program (CRISP). Managed by the E-ISAC, CRISP uses innovative technology and leverages DOE’s analytical capabilities to provide info-sharing of unclassified and classified threat information. It also develops situational awareness tools to enhance the electricity sector’s ability to identify, prioritize and coordinate the protection of their critical infrastructure, Cauley testified.
How can CRISP share highly classified information in a more timely fashion while still protecting the content, asked U.S. Sen. Catherine Cortez Masto (D-NV).
“We have to figure out how to work on a shared national problem together,” Cauley answered. “It starts with two things: getting industry and the top levels of government together on a plan for managing our assets together and protecting them; and how do we become part of a shared community in which we trust one another? We have to find a way to fight this war together.”
“This is a complex machine we’re talking about modifying,” said Duane D. Highley, president and CEO of the Arkansas Electric Cooperative Corporation.
Cyber warfare requires that the utilities have timely access to actionable information, Highley said. And while real-time sharing is great, both parties have to play.
“Most of the time we learn about threats from the private sector long before the government shares the information due to its classified nature,” Highley said. Developing more mutual trust and getting more higher-level security clearances approved would help, he added.
