Energy grid experts see need for more information sharing with government on cyber security
A panel of energy experts told lawmakers Friday they are focused on combatting cyber security threats to the electric grid but that more has to be done by the government to share classified information with the private sector.
Jim Robb, president and CEO of the North American Electric Reliability Corp. (NERC), told members of the House Energy and Commerce Subcommittee on Energy his cooperative would like to see the federal government move faster to declassify information on cyber threats and disseminate it to the private sector. “We don’t need to know the origins,” said Robb, who testified during Friday’s hearing on “Keeping the Lights On: Addressing Cyber Threats to the Grid.” Robb also suggested that Congress could do more to ease security clearances for critical personnel in the industry.
Karen Evans, assistant secretary of the Department of Energy’s year-old Office of Cybersecurity, Energy Security, and Emergency Response (CESER), said the office is working to get information declassified as fast as possible and regularly provides both classified and declassified briefings to the private sector on emerging threats. “We really want to give them information that’s actionable,” she testified.
Evans urged Congress to help facilitate information sharing with private industry by, among other things, clarifying legal responsibilities and liabilities of private industry.
“The legal framework to share information needs to be more robust,” Evans said during a question and answer session after her formal testimony. U.S. Rep. Bill Johnson, (R-OH), asked Evans what CESER is doing to incorporate retired military personnel with existing security clearance and she said both government and the private sector are targeting ex-military for hiring.
She also told the panel her group is working to identify potential security threats to manufacturing, such as China’s Huawei through an advanced manufacturing institute which is assessing threats in partnership with the network of national laboratories and industry. Robb added this organization believes a voluntary supplies certification of security clearance “is a smart thing to do.”
NERC’s Robb said the group is currently developing a Level 2 alert regarding Chinese equipment suppliers, including Huawei and ZTE as a follow-up to the all-points bulletin the Electricity Information Sharing and Analysis Center (E-ISAC) issued in March. “The Level 2 alert and the bulletin enable us to provide strategic warning about the potential risk to industry of compromised supply chains, and to get a better sense of the scope of the threat. With this information, the E-ISAC is able to provide better analysis and suggested mitigation,” he said.
NERC is addressing supply chain risk in several different ways, explained Robb. In 2018-2019, NERC staff prepared a report on cyber security supply chain risks with recommendations for future actions. NERC worked with the Electric Power Research Institute to provide an independent assessment of industry supply chain risks and presented a final report to the NERC Board in May. The report contains several recommendations for additional study including reliability standards development work to address Electronic Access Control or Monitoring Systems (EACMS) and physical access control systems connected to high- and medium-impact bulk electric system (BES) cyber systems.
U.S. Rep. Jerry McNerney (D-CA) asked Evans what CESER is doing to help small utilities combat cyber threats. She said CESER is working to ensure that small utilities get the same information in a timely fashion as the big companies. “We’re working with state officials to also drive down this information” to the lower levels, Evans testified.
Responding to questions, Evans said CESER is also coordinating with numerous pipeline associations to organize cyber security efforts. She said CESER is preparing a joint exercise with the Federal Energy Regulatory Commission (FERC) to determine cyber threat weaknesses.
U.S. Rep. Scott Peters (D-CA) asked Evans about any major threats perceived to the grid by international players and Evans said she couldn’t discuss it in public but will in closed session.
U.S. Rep. David McKinley (R-WV) asked the panelists whether they believe if “fuel-secure coal and nuclear plants are critical to ensuring the security of our electric grid,” but the panelists all declined to comment.
Evans recounted some of the actions CESER has undertaken since its Feb. 2018 inception. CESER, she said, activated the Emergency Response Organization for multiple natural disasters, including six hurricanes, three wildfires, two typhoons, one cyclone, one earthquake, and one volcanic eruption. CESER is also implementing a threat-informed, engineering-centric assessment and mitigation activity for the energy sector called Consequence-driven Cyber-informed Engineering, which is being supported by the Idaho National Laboratory. The methodology prioritizes high-consequence risks within control system environments, identifying the most severe consequences, and then identifies the best process design and protection approaches for eliminating the cyber risk.
In June, CESER worked with the National Association of Regulatory Utility Commissioners to help state public utility commissioners gather and evaluate information from utilities about their cybersecurity risk management practices. These PUC-driven evaluations of utilities in their states help to inform PUC investment decisions.
In May, CESER issued an $8 million funding opportunity announcement seeking innovative approaches to enhance the reliability and resilience of the nation’s energy infrastructure. This includes enhancing the ability of electricity generation, transmission and distribution infrastructure, as well oil and natural gas production, refining, storage, and distribution infrastructure to survive a cyber attack while sustaining critical energy delivery functions.
Andrew Dodge, director of FERC’s Office of Electric Reliability, told the panel of FERC’s Critical Infrastructure Protection Reliability Standard program.
