Atlantic Council task force framework combats cyberthreats against energy sector
The mounting threat of cyberattacks facing America’s energy sector as it increases the digital connectivity of its operations must be met with a flexible, resolute response coordinated by both the private and public sectors, according to a new Atlantic Council task force report.
To better understand current and future cyberthreats, the Atlantic Council Global Energy Center convened the Atlantic Council Task Force on Cybersecurity and the Energy Transition to develop a cybersecurity framework and recommend possible measures for the government to help companies avoid cyberattacks on critical energy infrastructure.
After a year-long survey, the task force on July 12 released its findings in a report entitled, Securing the Energy Transition against Cyber Threats.
“Securing the evolving energy sector from the rising threat of cyberattacks is one of the most pressing national, economic and environmental challenges facing the United States,” concludes the report. “Increasing reliance on digital technology means that cybersecurity will be necessary to reliably achieve any of the expected benefits to national security, to climate security, or to energy consumers.”
The task force — which is comprised of civilian and military experts in cybersecurity policy, industrial cybersecurity and control systems, finance, and clean energy — is co-chaired by former U.S. Department of Homeland Security (DHS) Secretary Michael Chertoff and Wesley Clark, a retired four-star general, who led experts in a panel discussion Tuesday afternoon that focused on the new report’s findings.
“The nation’s energy system has essentially become part of the point of conflict and we need to protect our infrastructure,” said Chertoff, now co-founder and executive chairman of The Chertoff Group.
But according to the report, the U.S. is unprepared to secure an energy transition to low-emission and high-efficiency technologies due to the lack of a unified, strategic anti-cyber threat framework among public and private institutions.
Many of the panelists agreed, saying that because cyberthreats are spreading downstream and laterally, a more sustained effort against them is needed.
“We are building the plane as we’re flying it,” and that’s likely not the best approach, said Leo Simonovich, vice president and global head of Industrial Cyber and Digital Security at Siemens Energy AG, a Germany-based energy company.
To better understand the cyberthreat risk, Simonovich said companies must be safety focused but share that responsibility within their operations, across the industry and up and down supply chains.
“A unified operating model is one of the best things we can do,” said Simonovich, who is responsible for setting the strategic direction for Siemens’ industrial cybersecurity business worldwide.
Toward such a goal, the task force recommended in its report that the government align its actions to support the private sector, which should provide the requisite investment and training needed to ensure top-to-bottom cyber-secure operations.
“This includes individual cyber-hygiene education, infrastructure investment, real-time monitoring and information sharing, vulnerability assessment across supply chains, and incident reporting protocols,” according to the report.
Indeed, said Neil Chatterjee, senior advisor with Hogan Lovells and a former commissioner and chairman of the Federal Energy Regulatory Commission (FERC), during the panel discussion. “Private-sector companies have found themselves on the frontlines of cyberwarfare,” he said, noting that the country is better at responding to a company being taken out by a missile than by a cyberattack.
The task force recommended that the U.S. government work to guarantee preparedness, eliminate duplication and clarify roles and responsibilities by melding “the nimbleness of a streamlined command structure with the robustness of a hierarchy with sector-specific expertise.”
The goal, according to the report, would be to create strong regulatory frameworks that hold the private-sector accountable, provide companies with the resources to cultivate in-house cybersecurity, and instill the confidence to engage with public-sector bodies and react quickly when cyberattacks strike.
Simonovich and Chatterjee also agreed that the energy industry needs government agencies to ensure that federal funds get into the right hands so that the industry can move forward on implementing cyberthreat deterrents and to improve collaboration with private partners, among other goals.
Additionally, the government should fortify the Cybersecurity and Infrastructure Security Agency’s role in protecting critical assets, align oversight between the Executive Branch and federal agencies, and create a comprehensive, coordinated roadmap for the industry to follow.
It also should consider tax incentive structures. Chatterjee said that economic-based incentives also could help better align public and private sectors.
At the same time, the government also should develop clear product and supply chain security guidelines and simplify information-sharing processes, the task force suggested.
Megan Samford, vice president and chief product security officer at Schneider Electric SE, a French multinational company that specializes in digital automation and energy management, pointed out during the panel discussion that unified standards could help close cyberattack gaps.
For example, Samford touted IEC 62443, an international series of standards from the International Electrotechnical Commission (IEC) that address cybersecurity for operational technology in automation and control systems.
“Security in products and standards like IEC 62443 are needed because they’re very specific,” said Samford, who is also a nonresident senior fellow at the Cyber Statecraft Initiative under the Atlantic Council’s Digital Forensic Research Lab.
Samford added that she supports nations adopting such standards to measure performance against compliance with that standard.
Likewise, cybersecurity standards via FERC and the North American Electric Reliability Corporation (NERC) are needed, Chatterjee added, and the list of who should follow those standards should be expanded.
Whistleblower protections are also needed to help support national security, added Adrienne Lotto Walker, vice president and chief risk and resilience officer for the New York Power Authority.
In conclusion, the task force said that reimagining existing frameworks to secure the energy transition is a complex but urgent endeavor. “The choices the United States makes will result either in a fragile, vulnerable energy sector, or a solid foundation for a more sustainable and secure future,” the report says.
