The U.S. Department of Energy (DOE) this week kicked off a 100-day plan whose goal is to improve the cybersecurity of electric utilities — specifically their industrial control systems (ICS) — and secure the energy sector supply chain.
The DOE, the Cybersecurity and Infrastructure Security Agency (CISA) and the electricity industry are working together on this initiative, which focuses on encouraging the implementation of enhanced cybersecurity capabilities.
The DOE has also released a request for information (RFI), seeking input from academic, private and public stakeholders in the energy industry on recommendations for improving supply chain security.
SecurityWeek has reached out to several industry professionals for their thoughts on this new initiative.
Ron Brash, Director, Cybersecurity Insights, Verve Industrial:
“Within the 100-day sprint – what can truly be accomplished with such a monolithic lift? What does the Biden administration mean by increased visibility? Adding more sensors? Getting a more accurate and comprehensive catalog of assets and their logical assets contained within? Or is this a knee jerk response to the Texas outage combined with alleged implants in Chinese transformers and the geopolitical tensions that likely look similar through a reverse lens?
[…]
Now if we are talking about what can be done in the next 100 days – who are we talking about? Are we talking about the fortune 500 energy companies within the US or the smaller organizations that likely are the ones needing real help? Or are we talking about a collaboration with the Canadians providing a ton of excess hydro-electric power to the West & East coasts? Regardless of who we are talking about, or the unanswered questions – a focus on energy is good, but there are other critical sectors out there needing much needed attention. One could only wish that the government is saying we will provide modern and proven ubiquitous equipment out there to who knows how many sites and fix their insecure networks or remote access – but I know this is a pipedream; especially today with COVID supply chain delays.
Instead, they are largely talking about putting sensors in and getting “visibility” – which won’t really help with the Chinese made components buried within BPS infrastructure; everyone has this problem. And while a smoke detector might be useful to see sneaky network connections, it does not help with the remediation, action and resource problems that most organizations face when trying to put out the fires. Telling asset owners to use new technology is fine and dandy, but they need to own it, operationalize it, and maintain it… But perhaps this solution will simplify NERC CIP compliance audits and overhead or give them a plethora of previously unknown vulnerabilities to worry about?”
Padraic O’Reilly, CPO & Co-Founder, CyberSaint:
“Many public-private partnerships have been productive in cyber (note the development of the Cybersecurity Framework, now largely adopted by Energy), and the 100-day plan approach signals an urgency that bears repeating.
Energy is a target for the APT, and Industrial control systems are vulnerable. We all know that. Systems have been breached, and we know that, too. Yet, the companies we talk to demonstrably want to harden their systems in a cost-effective way, and this can certainly help.
With so much of the infrastructure privatized and in need of modernization, it can be difficult to get everyone pulling in the same direction, and DOE and CISA can really help with this because they have longer timelines in mind, and a lot of very good, fresh analysis around cyber hardening.
[If the technical solutions are identified, how likely are energy companies to actually implement them?]
I would say the chances are very good. Any technical improvements that come out of CISA are bound to have been vetted by some very sophisticated cyber experts. The proliferation of methods developed by the government (exploits), we have seen these spread rapidly into the hacker community. This initiative is analogous in the net positive direction. The tools and tactics that DOE and CISA are offering are more likely to be hardening on legacy systems and protection for Industrial Control Systems, which are notoriously tricky due to their age. Any tech help on this score will likely be embraced. Most of the best research on these issues has come out of such public/private partnerships.”
Learn More About Threats to Industrial Systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits Virtual Event Series
Chris Blask, Global Director, Applied Innovation, Unisys (LF Energy partner):
“This move by the Department of Energy aligns well with the series of related actions stretching back over the past twenty years. Taking these all together and looking towards likely future actions by the Department and the industrial cybersecurity community, there are good reasons to believe that the pertinent risks can be brought into a much more manageable framework for all involved parties.
[What else should be done by the US and other governments to secure electricity operations?]
Requiring Software Bill of Materials (SBOM) for critical and eventually all grid cyber assets is a step the Department and its regulatory partners can take in the immediate term. Building an Acquisition Resource Center (ARC) at the Department to coordinate procurement processes and compliance is a step the Department can take based on proven processes in other federal agencies. An attestation ecosystem based on the open source Digital Bill of Materials (DBOM) to store and share SBOMs and other critical attestations with appropriate transparency to involved parties is something that the Department and the community can put in place in the near term.
[If the technical solutions are identified, how likely are energy companies to actually implement them?]
If prudent regulatory, information compatibility, and attestation ecosystem moves are made by the Department based on currently available resources, there is a good possibility that energy companies will implement them. The task of the Department and the private sector community of interest is to increase the speed of adoption thoughtfully to maintain the best possible current state of implementation as the systemic future state is put into place over much of this decade.”
David Doggett, Senior Strategist, Red Balloon Security:
“It’s always good to have more attention on embedded systems security, especially when it involves critical infrastructure. However, focusing entirely on Chinese-manufactured or supplied equipment used in U.S. infrastructure does not take into account that equipment manufactured in the U.S. and Europe also contains significant vulnerabilities. In this year alone, we’ve seen vulnerability disclosures from CISA from companies like Siemens, GE, and Schneider Electric. There’s clear evidence that vulnerabilities from manufacturers around the world – not just China – and they need to be mitigated before threat actors take advantage with devastating consequences.
While manufacturers are patching devices as issues are found and working towards more secure devices by implementing security programs, manufacturers are not producing secure enough devices as fast as they need to.
Governments need to take an active role in assisting utilities and other parts of critical infrastructure in their push for manufacturers to make meaningful improvements in the grid equipment security, before the equipment is deployed.
We also need a wider push for U.S.-based security technologies to inherently secure and protect against exploitations as opposed to patching vulnerabilities after they arise. There’s a 12-month cycle for reviewing and approving patches for these types of devices which leaves utilities vulnerable to exploitation for an entire year – it’s simply not enough.”
John Livingston, CEO, Verve Industrial:
“My view is that the sprint should be seen more as the first leg in a relay race…perhaps a very long race with lots of handoffs. The real question in any relay race isn’t the performance of the first runner, but how the rest of the runners do in their legs. So, where does the next and the next and the next sprint take us. If this is seen in that light, it could be very effective. Instead of creating a mega-galactic commission to study this for the next 2 years and produce a report, they take a much more interactive approach. The first sprint lays out the key topics and hypotheses of things they can accomplish and when. It gets it 60-70% right. Then the second sprint pushes those hypotheses further into some sort of dialog with industry and further refinement. The third sprint then turns to some pilots in the labs or components of the industry. The fourth sprint may change direction from the original plan by 30-degrees or something and then continues with further refined pilots. You get the drift…
“A” sprint probably produces little. A “series” of sprints could be a really effective way to make progress in what is an intractable problem…”
John Cusimano, Vice President, aeCyberSolutions:
“While it’s nice to see ICS cybersecurity garnering much national focus and attention, I find it disappointing that the US government continues to focus almost exclusively on the electric power sector in its efforts to secure ICS. They seem to fail to recognize that ICS are used in nearly every critical infrastructure sector.
[…]
We must secure the entire energy supply chain from the source to the power generation facilities, refineries, and downstream chemical facilities that absolutely rely on these raw materials. Based on my direct work across many energy sectors and our extensive data, the nation’s greatest ICS cybersecurity risks are in water, maritime transportation, oil & gas pipelines, and critical manufacturing sectors such as food, pharmaceuticals, and medical devices. What these industries have in common is that the consequences of ICS cybersecurity compromise could lead to public health, safety, and environmental catastrophes.
It is my hope that the pending executive order for ICS cybersecurity will extend well beyond energy sectors and especially beyond the electric sector, which has been regulated by the Federal Energy Regulatory Commission (FERC) or the Nuclear Regulatory Commission (NRC) for ICS cybersecurity since 2010. The critical infrastructure sectors discussed are vulnerable to ICS attacks and are well behind in implementing the appropriate countermeasures to secure their infrastructure. It’s time the US government’s ICS cybersecurity efforts go beyond the electric sector.”
Grant Geyer, Chief Product Officer, Claroty:
“The aging critical infrastructure of the electric grid represents an existential cyber risk to U.S. national security. The Biden administration’s efforts to address the industrial sector’s obsolescent infrastructure through the American Jobs Plan, coupled with the Department of Energy’s 100-day sprint represent important initiatives to secure the nation’s cyber defenses. This dual pronged approach is essential to ensure obsolete systems that can no longer be patched or were not secured by design can be updated, and to ensure effective controls are in place.
What I find interesting is that the 100-day sprint is also complemented by a RFI from the DoE to seek input from electric utilities, academia, researchers, government agencies, and other stakeholders. What’s clear to me is that the administration is looking to take an apolitical, balanced, and considered approach to improving cyber safety of the U.S. electrical grid. The two areas called out for insight are short term stop gaps measures to prevent the implementation of potentially risky equipment into the electric grid, and the development of a long term strategy to deal with the evolving threat landscape.”
Andrew Barratt, Managing Principal, Solutions and Investigations, Coalfire:
“Such an initiative is likely to make a noticeable difference, not least of which because anything that is put forward will support investment in the cyber security of these operations. We have seen this consistently in other industries. When some form of standards or regulation is put in place, investment then has to be made or the risk of operations, permits being revoked, or other censure will lead to both the power generation and distribution infrastructure being forced into making losses.
[If the technical solutions are identified, how likely are energy companies to actually implement them?]
There are technical solutions out there – and some highly skilled OT engineer security professionals. Often they have been hamstrung by hugely legacy technology tightly coupled to the underlying operation infrastructure responsible for the generation of power. There is also a need to find solutions that de-couple the underlying power production infrastructure from their IT counterparts so that upgrading the software used to manage them doesn’t have major implications for the operations of a plant.
If we look at the future of large scale technical attacks – there is very little incentive for attackers to do global attacks that undermine the entire internet’s operations. This is very much biting the hand that feeds. However, regionally deployed attacks focused on a state or specific city’s power grid can be part of both an organized crime groups tactics (as part of a significant heist) or a nation state looking to create some disruption in a strategically significant area for political gains. Think Washington DC / Military base locations, etc.”
