IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Cybersecurity for Energy’s Critical Infrastructure

How reliable and resilient is our nation’s critical energy infrastructure? How must we improve amid growing concerns regarding cyberthreats? What are the greatest vulnerabilities? How are physical threats, natural disasters and cyberthreats to energy being addressed? Let’s explore.

Last year, I asked the question: How secure is our smart grid? The context was an alarming report claiming that the U.S. electric grid is in imminent danger from a cyberattack.

Has the situation improved one year later? The answer depends on who you talk with and the specific details discussed. What is very clear is that our nation still faces serious cyberthreats and vulnerabilities that are keeping experts up at night.

A U.S. Senate Energy and Natural Resources Committee hearing on March 1, 2018, addressed this very question and focused on effort to improve the resiliency and reliability of critical energy infrastructure. 

That hearing included the following testimony which is well worth reading and viewing at the link above. The C-SPAN embedded video was not available at the time this blog was published, but may be added later. 

Opening Remarks

  • Lisa Murkowski — Chairman Senate Committee on Energy and Natural Resources
03.01.18 — Murkowski's Opening Statement (as delivered) — Cyber Hearing.pdf

  • Maria Cantwell — Ranking Member, Senate Committee on Energy and Natural Resources — (opening statement pdf not available)

Witness Panel 1

  • The Honorable Bruce Walker — Assistant Secretary of the Department of Energy Office of Electricity Delivery and Energy Reliability
Walker Testimony 3-1-18 SENR Cmte Hrg.pdf 

Endicott-Popovsky Testimony 3-1-18 SENR Cmte Hrg.pdf 

Matheson Testimony 3-1-18 SENR Cmte Hrg.pdf 

  • William Sanders — Department Head and Donald Biggar Willett Professor of Engineering, University of Illinois at Urbana-Champaign
Sanders Testimony 3-1-18 SENR Cmte Hrg.pdf 

Highlights from the Committee Hearing and Recent Energy Announcements

There was a sense of urgency throughout the hearing, and here are some of the highlights (and rough notes) that I took away, but I urge you to watch the hearing. There are more energy cyber-resources listed below. 

Dr. Barbara Endicott-Popovsky

  • Everyone is your neighbor — we need to partner and work together across industries
  • Rules + new tools — human training — can’t patch stupid
  • Not enough talent — talent problems
  • Cybersecurity has become a profession – ‘Balkanization’ of the field will not help.
Dr. William Sanders

  • Protection alone will not work
  • Cyber-resiliency is key and research must include:
    • Continuous collection of sensor data to gauge status
    • Fusion of sensor data with other intelligence information
    • Visualization techniques
    • Analytics
    • Restoration techniques
    • Creation of post event tools
  • The cyberthreat is real. Time to act is now
  • Grid resilience is not the same as cybersecurity
  • Research and development are needed with academia, government and private sector
Mr. Robert M. Lee — (Note: He has a great background at NSA finding the leading nation state cyberattack vectors. Energy is near the top of the list)

Recent incidents show cyberthreat topic is serious.

  • Ukraine power grid attack
  • Malware in Middle East deployed to target human life
His company offering three reports on industrial control threats (see below).

  • Silver bullets are not real
  • NERC CIP standards — regulations are base-level security
  • Halt new regs. Workforce development needs to catch up
Senator questions:

Could we have a ‘Black Swan’ event — energy system complexity? Interdependency — gas infrastructure North America model

Answer: We need to understand our single points of failure and weaknesses.

What keeps Mr. Lee up at night? Disparity between various industries. Smaller events + U.S. response

Major Problems Discussed (by all):

  • Background checks of people
  • Getting specific cyberthreat information to companies in a timely manner
  • Timely response to incidents 
  • Arms Race — both cyberattacks and our defenses are getting better.
Back on Feb. 14, Energy Secretary Rick Perry announced a new cybersecurity office — the Office of Cybersecurity, Energy Security, and Emergency Response. The department is seeking $96 million in funding for fiscal 2019 for coordinating preparation for physical and cyberthreats to critical infrastructure.

At the March 1 hearing of the Senate Energy and Natural Resources Committee, members were skeptical that the new office dovetailed with government-wide efforts to incorporate cybersecurity across all system operations.

Assistant Secretary Bruce Walker, head of DOE's Office of Electricity and Energy Reliability, said the proposed office is "distinct" because the program is meant to be "actionable, near-term and highly responsive," while the rest of the Energy Department's reliability efforts focus on longer-term strategies and research and development.

The NY Post commented on a Senate Armed Services Committee hearing in which: “A second top cyber-security official is sounding the alarm over the US’s inadequate response to Russian and other cyberattacks.

Army Lt. Gen. Paul Nakasone told the Senate Armed Services Committee that adversaries that include Russia, China, North Korea and Iran are not facing retribution for their cyberattacks on the US.”

Resources to Help on Energy Infrastructure Policy and Cyberprotections

The Department of Energy (DoE) offers this website on Cybersecurity for Critical Energy Infrastructure, which is a good place to start. The website states: “Office of Electricity Delivery and Energy Reliability (OE) is to make the nation’s electric power grid and oil and natural gas infrastructure resilient to cyber threats.

The vision of OE’s cybersecurity program is that, by 2020, resilient energy delivery systems are designed, installed, operated, and maintained to survive a cyber incident while sustaining critical functions. OE’s cybersecurity program supports activities in three key areas:

Some excellent reference reports were just issued by Dragos that cover various aspects of cyber vulnerabilities, metrics and insights into industrial control systems. The reports also cover threat activity groups and incident response highlights form the past year.

I also encourage readers to visit the Electricity Information Sharing and Analysis Center (E-ISAC) resources available online.

This North American Electric Reliability Corp. (NERC) website describes the role of the E-ISAC is:

  • Identifies, prioritizes, and coordinates the protection of critical power services, infrastructure service, and key resources;
  • Facilitates sharing of information pertaining to physical and cyber threats, vulnerabilities, incidents, potential protective measures, and practices;
  • Provides rapid response through the ability to effectively contact and coordinate with member companies, as required;
  • Provides and shares campaign analysis, which includes capturing, correlating, trending data for historical analysis, and sharing that information within the sector;
  • Receives incident data from private and public entities;
  • Assists the Department of Energy, the Federal Energy Regulatory Commission, and the Department of Homeland Security in analyzing event data to determine threat, vulnerabilities, trends and impacts for the sector, as well as interdependencies with other critical infrastructures (this includes integration into the DHS National Cybersecurity and Communications Integration Center);
  • Analyzes incident data and prepares reports based on subject matter expertise in security and the bulk power system;
  • Shares threat alerts, warnings, advisories, notices, and vulnerability assessments with the industry;
  • Works with other ISACs to share information and provide assistance during actual or potential sector disruptions whether caused by intentional, accidental, or natural events;
  • Develops and maintains an awareness of private and governmental infrastructure interdependencies;
  • Provides an electronic, secure capability for the E-ISAC participants to exchange and share information on all threats to defend critical infrastructure;
  • Participates in government critical infrastructure exercises; and
  • Conducts outreach to educate and inform the electricity sector.
You may also want to check out the Global Energy Institute’s cyberpages from the U.S. Chamber of Commerce. They offers reports and statistics to help protect the energy grid, including comments on the cybersecurity incident reporting reliability standards.  

Final Thoughts

So what is the answer? Can the grid be hacked?

It seems like the easy (lawyer-type) answer is best: “It depends.”

The hearings and experts seem to think that smaller regional outages are very possible, and perhaps even probable over the next few years. Their emphasis on reliability and resiliency is constant, and they point out that weather-related electricity outages happen all the time.

However, the feeling of most of the experts seems to be that a nationwide “major grid outage” is very unlikely. They say: “Great work is ongoing. However, many of the smaller utilities have a long way to go.”

I recent report out of GCHQ in the United Kingdom claimed that "energy smart meters could expose millions of Bretons to hack." The story highlighted concerns about energy bills being modified, "Trojan Horse" hacks to infiltrate other home networks or even "nation-state actors could exploit the flaws in the energy smart meters to create a power surge that would damage the National Grid."

After reading numerous reports and watching hours of testimony on the grid being hacked in the USA, I remain unconvinced either way. Most experts are holding back and saying there is a lot of work left to be done. The teamwork and partnerships are certainly front and center at the moment, and the new DOE efforts will certainly help.

And perhaps having more humility regarding potential new cyberattacks on the grid is a good place to be right now, since the testimony of experts reconfirmed that the hackers and defenders are both getting better at the same time.  

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.
Special Projects
Sponsored Articles
  • How the State of Washington teamed with Deloitte to move to a Red Hat footprint within 100 days.
  • The State of Michigan’s Department of Technology, Management, and Budget (DTMB) reduced its application delivery times to get digital services to citizens faster.

  • Sponsored
    Like many governments worldwide, the City and County of Denver, Colorado, had to act quickly to respond to the COVID-19 pandemic. To support more than 15,000 employees working from home, the government sought to adapt its new collaboration tool, Microsoft Teams. By automating provisioning and scaling tasks with Red Hat Ansible Automation Platform, an agentless, human-readable automation tool, Denver supported 514% growth in Teams use and quickly launched a virtual emergency operations center (EOC) for government leaders to respond to the pandemic.
  • Sponsored
    Microsoft Teams quickly became the business application of choice as state and local governments raced to equip remote teams and maintain business continuity during the COVID-19 lockdown. But in the rush to deploy Teams, many organizations overlook, ignore or fail to anticipate some of the administrative hurdles to successful adoption. As more organizations have matured their use of Teams, a set of lessons learned has emerged to help agencies ensure a successful Teams rollout – or correct course on existing implementations.