15 May 2021

Any reduction in Energy Department's cybersecurity resources a mistake

BY RETIRED REAR ADM. MARK MONTGOMERY

In March, a bipartisan group of senators led by Jim Risch (R-Idaho) and Angus King (I-Maine) sent a letter to Energy Secretary Jennifer Granholm expressing support for the department’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER). Joined by the chair and ranking member of the Senate Committee on Energy and Natural Resources, the letter highlighted the vital role CESER plays “in protecting the nation’s critical energy infrastructure from cyber threats, physical attacks, and other disruptive events.” More than a month later, the Biden administration has still not nominated an assistant secretary to lead the office.

The letter reflects the senators’ concerns that the Biden administration is considering downgrading the CESER billet from the assistant secretary level to make space for new assistant secretary assignments for justice and jobs. Coming on the heels of a Government Accountability Office (GAO) report highlighting the Department of Energy’s (DOE) unfinished work to secure the nation’s electric grid and supply chains, Secretary Granholm would be making a mistake if she were to reduce the seniority of cybersecurity leadership at the department.

As the sector risk management agency for the energy sector, DOE has done important work to address vulnerabilities in electrical generation and transmission systems, but as the GAO report concluded, there is more work to be done. DOE’s cybersecurity plans “do not fully address risks to the grid’s distribution systems.” In response, DOE acknowledged GAO’s assessment, agreed with its recommendation, and then pointed to two ongoing CESER research projects aimed at improving the cybersecurity of these systems. This remaining work is critical for securing the part of the electric grid that delivers (distributes) the electricity produced in power plants (generation), transmitted through high-voltage systems (transmission), the last mile to our homes and businesses.

While there certainly is more to be done, the new energy secretary has actually taken leadership of the federal agency with one of the most effective cybersecurity programs. The March 2020 Cyberspace Solarium Commission report highlighted a number of DOE cybersecurity and private sector outreach programs that other agencies should consider replicating. The CESER office deserves much of the credit for this effort. This is a direct result of the office having the appropriate seniority (including a Senate-confirmed assistant secretary), resources, congressional support, and relationships with both the private sector and state and local governments. All of this is needed to address the ongoing cyber risks to our nation’s energy infrastructure and to develop policies and lead the emergency responses to security and natural disaster incidents.

For example, CESER coordinates the membership and growth of the Cybersecurity Risk Information Sharing Programs (CRISP), one of the only public-private data sharing and analysis platforms between the federal government and critical infrastructure owners. CRISP facilitates timely bi-directional sharing of unclassified and classified threat information among energy sector stakeholders. In fact, outside of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the agency broadly responsible for all federal cybersecurity efforts, no federal agency has matched CESER’s efficacy and outreach. Because of CESER, the Department of Energy has become the comparative gold standard of federal cybersecurity sector risk management agencies.

Additionally, CESER administers the Cyber Testing for Resilient Industrial Control Systems (CyTRICS) program, one of the few testing programs for securing high-priority hardware and software components that make up the physical systems of critical infrastructure. CyTRICS testing then helps industry partners improve security, design, and manufacturing. Given that 25 percent of respondents to a North American Electric Reliability Corporation Level 2 alert indicated that they or their third-party service providers had downloaded compromised software associated with the SolarWinds compromise, now is not the time to stall efforts to improve resilience of an increasingly digital energy system.

While President Biden has pledged to prioritize cybersecurity, he has, so far, left the CESER assistant secretary position vacant. As the administration vets incoming officials, our adversaries are not sitting still. Threat actors — including nation states, criminal groups, hacktivists, and insiders — are capable of and willing to carry out cyberattacks that could place the electric grid at risk. There are several clear examples of electric grid hacks across the world. Late last year, the People’s Republic of China allegedly released a series of trojan horses on the Maharastra electricity grid in India, taking out power for several hours. A little closer to home, the Reading Municipal Light Department (RMLD), an electric utility company based in Massachusetts, reported in February 2020 that they had been the victim of a ransomware attack. These threats are only going to continue to grow.

As the senators wrote, “[t]he reliability and resilience of the electric grid is critical to the economic and national security of the United States.”

Unless DOE continues to prioritize cybersecurity risks to our electric grid, the plans it had drawn out so far will be of little to no use. An assistant secretary level leader, with a properly resourced office has been, and will continue to be, key to this success. Hopefully, to paraphrase Mark Twain, rumors of a reduction in seniority of the CESER billet are greatly exaggerated. But if not, any such reduction would be a critical error at a critical time.

Retired Rear Admiral Mark Montgomery is a senior fellow at the Foundation for Defense of Democracies (@FDD), senior director of FDD’s Center on Cyber and Technology Innovation (CCTI), and senior advisor to the chairmen of the Cyberspace Solarium Commission. Follow him on Twitter @MarkCMontgomery

Tasha Jhangiani, a research analyst at the Cyberspace Solarium Commission and a Future Digital Security Leaders Fellow at the Institute for Security and Technology, contributed. Follow her on Twitter @tasha_jhangiani

FDD is a nonpartisan research institute focused on national security and foreign policy. Congress established the Cyberspace Solarium Commission to "develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences."

No comments: