March 28, 2017
By Chris Bing
Electric power industry executives are pushing to have their cybersecurity concerns heard by Congress and the Trump administration.
A Senate Energy and Natural Resources Committee hearing on Tuesday — convened to discuss how the government can better coordinate with the private sector on power grid security, incident response and other cyber threat information sharing efforts — is the latest example for how the industry is reaching out to Washington.
Last week, electric power company and trade group representatives also met with top administration officials, including Secretary of Energy Rick Perry and Jeanette Manfra, the acting deputy undersecretary for the Homeland Security Department’s cyber division, Politico first reported. The group spoke about relevant, shared security goals and priorities, and where the government can offer assistance.
Energy companies face substantial risks in cyberspace, experts say, and threats can directly affect physical systems and human life.
John Di Stasio, President of the Large Public Power Council, told lawmakers Tuesday that because cyberthreats aimed at the electric grid evolve so rapidly, the industry typically prefers “flexible” cybersecurity regulations. Di Stasio said that while the government can play an important role in defending U.S. critical infrastructure, he disapproved of Congress rushing out new, potentially constraining compliance standards.
Another topic of significant concern for Tuesday’s four-person panel was the lack of actionable intelligence provided to the electrical power industry by government agencies about hackers.
“We need help getting the information,” Xcel Energy President Ben Fowke III told Cory Gardner, R-Co. “Quite often by the time we hear about a potential threat from the government, we’ve known about it for a long time through private sources or industry communication. And I think the reason for that is that we struggle on taking what could be classified information, declassifying it and getting it out quickly.”
There are some signs in Congress that future legislation may help spur collaborative public-private security research and information sharing programs.
A bill introduced last year by committee member Angus King, I-Maine, named the “Securing Energy Infrastructure Act,” or S. 79, was discussed during the hearing. As it is currently written, the legislation would establish a $10 million pilot program within the Energy Department’s national labs to research new cybersecurity technologies and find security vulnerabilities evident in products used by private energy companies. This vulnerability research would be shared with private sector partners.
“The effort proposed in S. 79 could potentially aid the utility industry, FERC and others to maintain a secure electric grid,” Michael Bardee, Director of the Office of Electric Reliability at the Federal Energy Regulatory Commission, wrote in a prepared testimony for the committee. “Utilities have come to rely increasingly on digital tools for monitoring and operating the Bulk-Power System. These tools have enhanced the efficiency and effectiveness of utility operations significantly.”
Because most critical infrastructure in the U.S. is privately owned, the government must often form partnerships with companies to better monitor and secure industrial control networks. DHS, in this scope, plays a critical role as the defender and support team while the Energy Department helps to drive forward research and changes to policy, standards and regulation, which can improve digital security in the larger energy community writ large.
Developing relations between the electric power industry and U.S. government come in the wake of several known and substantial cyberattacks against industrial control facilities.
Four years ago, Iranian hackers broke into the Bowman Avenue Dam near Rye Brook, New York, using sophisticated malware. The attackers were unable to fully access the dam’s IT systems though investigator believe they could have taken control of the facility’s flood gates, investigator said at the time. DHS’ Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, responded to the incident; helping mitigate damage caused by the intrusion.
“I think one of the great things here is that the federal government stepped in and stopped what could have been something bad from happening,” Rye Brook Mayor Paul Rosenberg told CNN in 2015 after news first broke that hackers were responsible for the Bowman Avenue Dam incident in his town. “We appreciate that, but it makes me wonder about what would be potentially next, and that makes me concerned.”
# # #