Senate Energy and Natural Resources Committee eyes cybersecurity efforts in energy sector
In an effort to assess federal and private efforts to improve cybersecurity in the United States energy sector during the ongoing pandemic, the full Senate Energy and Natural Resources Committee held a hearing this week attended by executives and administration officials alike.
That pandemic, said Ranking Member Joe Manchin (D-WV), has forced the industry to accept and adapt to new troubles and vulnerabilities exacerbated by more employees working remotely. It has also been a lesson in how preparation is key — and how devastating a lack of preparation can be. Therefore, a significant focus for the committee was on how to improve collaboration on cybersecurity and critical infrastructure protection efforts.
“You all know well that threats to critical infrastructure are serious and increasing,” Manchin said. “Legacy grid systems were not designed to defend themselves against modern cyberattacks, and, as they grow more and more connected to the internet, our electric systems grow more and more vulnerable.”
Attending the hearing were witnesses Alexander Gates, senior advisor at the U.S. Department of Energy’s Office of Policy for Cybersecurity, Energy Security and Emergency Response; Joseph McClelland, director of the Federal Energy Regulatory Commission’s Office of Energy Infrastructure Security; Steve Conner, president and CEO of Siemens Energy, Inc.; and Thomas O’Brien, senior vice president and chief information officer for PJM Interconnection.
Of particular concern is how interconnected the larger system is. One company could be rather exhaustive in its efforts at security, but without collaboration, another link in the chain could still leave the grid exposed. Manchin hit on this point when engaging with O’Brien, pondering if PJM, for example, could test other companies to see if they were up to PJM’s standards, and to assess potential vulnerabilities. However, O’Brien disagreed.
“That’s something that we don’t feel is in our jurisdiction based on how we operate,” O’Brien said. “We do collaborate a lot with the members, but we don’t do that. Let me clarify; we do extensive red teaming and penetration testing on our own systems. What we don’t do is red teaming and penetration testing on our member company’s systems, where data flows into us.”
For his part, Manchin implied he would follow-up with PJM and similar entities to pursue opportunities for security testing throughout the system, not just on their end.
