National Cybersecurity Awareness month may have just come to an end, but there were lessons learned that should be applied throughout the whole year. The final exercise, Liberty Eclipse 2018, tested the cyber resiliency of our electricity, oil and natural gas infrastructure. It serves as a useful reminder that the U.S. energy sector faces daily cyberattacks from both independent adversaries and state-sponsored actors.
Safeguarding a resilient energy grid — and other critical infrastructure assets — are not just issues of physical security, but also cyber security. As we increasingly leverage technologies that raise efficiency and reliability, we must also focus on staying one step ahead of cyber attackers. This requires resiliency on all power generation fronts — nuclear, coal, oil and natural gas.
There is a belief in some circles that coal and nuclear power generation facilities are not as susceptible to cyberattacks because their fuel is stored on-site. The thinking goes that in the case of a large-scale cyber attack these facilities would continue generating electricity while pipeline fed oil and natural gas plants would fall victim to fuel shortages and service disruptions. This is simply not true and more importantly misses the larger picture as to how America’s power supply and distribution system works.
For starters, pipeline operators are working closely with federal officials to address cybersecurity threats through planning efforts and private investments. This year, for example, both the TSA and NIST released updated guidelines for pipeline cybersecurity measures. A number of the nation’s largest natural gas pipeline operators are also sharing cyber threat intelligence with each other and the federal government through the Oil and Natural Gas Information Sharing and Analysis Center. The global oil industry is expected to increase its investments in cyber defenses to nearly $2 billion by the end of this year.
The American Petroleum Institute (API) released an analysis recently addressing the industry’ best practices to prevent successful cyberattack intrusions. API’s study noted the oil and natural gas sector’s public-private collaboration — not prescriptive regulations — has helped bolster cybersecurity protections and provided the needed flexibility for the industry to respond to new threats.
Favoring one form of power generation over another to strengthen energy security takes attention away from more relevant concerns, such as finding solutions and technologies that will bolster grid cybersecurity protections. It is also redundant when one considers the work that stakeholders from both the private and public sectors have been engaging in over the past 15 years.
The National Institute of Standards and Technology (NIST), in conjunction with the U.S. energy industry has already developed an official framework of cybersecurity objectives and standards that includes protection, defense, resilience, and recovery methods. The Department of Homeland Security meanwhile, recently announced the opening of a new National Risk Management Center that will help foster the sharing of information and intelligence concerning cyber threats across several critical infrastructure sectors.
As would be expected, the Department of Energy has several initiatives geared towards bolstering the grid. For starters, they are offering $25 million in grants for projects that pursue new approaches to making the energy sector more resilient. The National Energy Technology Laboratory (NETL), within DOE, recently announced that it to would oversee investments in 15 projects that will enhance fossil energy power systems. Four of these projects are specifically related to grid cyber security.
Even the Department of Defense is making investments to bolster the energy sector. One such example is the Rapid Attack Detection, Isolation and Characterization Systems (RADICS) under development by the Defense Advanced Research Projects Agency (DARPA), whose goal is to, “enable black start recovery of the power grid amidst a cyber-attack on the U.S. energy sector’s critical infrastructure.” The project, which seeks to accelerate recovery by maintaining situational awareness, enabling network isolation, and rapidly characterizing cyber-attacks was just tested as part of the second phase of that Liberty Eclipse 2018 exercise.
Significant progress has been made, but there is still work to be done by federal agencies and operators to bolster infrastructure resilience and cover potential vulnerabilities in our grid’s operation system. While investment and vigilance are welcome, for success we must ensure collaborative and streamlined efforts through public and private engagement. At the same time, officials should avoid redundant, costly and ineffective proposals to bail out coal and nuclear facilities under the flawed pretense of bolstered cybersecurity protection.
Kelli Kedis Ogborn is a former congressional liaison for DARPA and the president and CEO of H.S. Dracones, LLC, a Washington, D.C., consulting firm specializing in commercialization strategy and strategic communications for technology firms.