Biden administration releases 100-day plan to address electric system cybersecurity risks

On April 20, the Biden administration, through the United States Department of Energy (DOE), issued what it is calling its 100-day plan to address cybersecurity risks to the US electric system. The plan is a coordinated effort among DOE, the electricity industry, and the Cybersecurity and Infrastructure Security Agency (CISA). It “represents swift, aggressive actions to confront cyber threats from adversaries who seek to compromise critical systems that are essential to US national and economic security,” according to the announcement.

The idea is that DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER), working with utilities, will “continue to advance technologies and systems that will provide cyber visibility, detection, and response capabilities for industrial control systems of electric utilities.” To achieve this goal, the efforts undertaken in this “sprint” focus on encouraging power grid players to:

1. Implement measures or technology that enhance their detection, mitigation and forensic capabilities.
2. Deploy technologies that enable near real-time situational awareness and response capabilities in the critical industrial control system (ICS) and operational technology (OT) networks.
3. Enhance the security posture of their IT networks.
4. Deploy technologies to increase the visibility of threats in ICS and OT systems.

Trump EO banning purchases from adversaries reactivated

As part of the plan, the administration has reactivated an executive order put into place by the Trump administration and initially suspended when Biden first took office. That order bars electric utilities from purchasing what has been deemed high-risk electric equipment purchases, such as high-voltage transformers, from foreign adversaries, particularly China.

To further manage supply chain threats that stem from adversarial nations, the DOE also announced a new request for information (RFI), “Ensuring the Continued Security of United States Critical Electric Infrastructure,” that focuses on “preventing exploitation and attacks by foreign threats to the US supply chain.” This RFI is part of a broader initiative, “America’s Supply Chains” EO 14017, that seeks to examine and increase the resilience of supply chains across the US economy.

RFI seeks answers to supply chain risk questions

The 11-page RFI states that “the growing prevalence of essential electric system equipment being sourced from China presents a significant threat, as Chinese law provides opportunities for China to identify and exploit vulnerabilities in Chinese-manufactured or supplied equipment that are used in US critical infrastructure that rely on these sources.” As a consequence, the DOE says it expects utilities “to act in a way that minimizes the risk of installing electric equipment and programmable components that are subject to foreign adversaries’ ownership, control, or influence” during the 100-day sprint.

In the meantime, the DOE’s RFI seeks recommendations on how it can exercise its role as the Sector Risk Management Agency to inform and coordinate with the utility industry and appropriate regulators, including state public utility commissions and the Federal Energy Regulatory Commission (FERC). The DOE also wants ideas about how it can better enable “testing of critical grid equipment, encourage better procurement and risk management practices, and develop a strong domestic manufacturing base with high levels of security and resilience,” with a particular focus on potentially compromised grid equipment that has already been installed.

The RFI asks several questions, including whether the energy secretary should ban certain pieces of equipment from being installed on the electric distribution system. The RFI takes it as a given that utilities that serve the defense sector should steer clear of this equipment.

It also asks whether that prohibition should extend to other critical infrastructure sectors, including communications, emergency services, healthcare, public health, information technology and transportation systems. The RFI further asks whether utilities are “sufficiently able to identify critical infrastructure within their service territory that would enable compliance with such requirements.”

DOE encourages all interested parties to file their responses to the RFI via snail mail within 45 days of publication in the Federal Register, June 7.

Industry reaction to cybersecurity plan seems positive

Reaction from electric sector cybersecurity specialists to the Biden power grid plan seems optimistic. “They’re trying to kind of peace out together,” Carlos Perez, research practice lead at cybersecurity firm TrustedSec, tells CSO. “How do we work with these multiple entities? Some of them are local government-owned; others are owned privately. Others are actually conglomerates that are working together. All of them are interconnected into the national grid, which has some basic standards, at least for operation. They’re trying to get all of those pieces together. They’re trying to get what I would call situational awareness.”

“I’m not hearing that everyone is freaking out, that their hair is on fire,” Patrick Miller, founder of the Energy Sector Security Consortium and US coordinator for the Industrial Cybersecurity Center, tells CSO. “The people that I know that are closer to it, they are not freaking out.”

Tom Kuhn, head of the Edison Electric Institute and point person for the CEO-led Electricity Subsector Coordinating Council (ESCC), issued a statement saying, “We welcome the new ICS initiative and appreciate that the Biden administration is making cybersecurity for operations a high priority.” Noting that the White House push is complementary to other electric sector efforts, Kuhn said that EEI members “look forward to working across the industry and with key government agencies to enhance visibility into these critical control systems and to improve situational awareness for emerging threats.”

Biden plan does not address some cybersecurity needs

The plan does not address many needed electric sector security elements, such as information sharing, “which is fundamentally broken in the electric sector,” Miller says. “We really need data breach notification. I hate to say that because it’s so controversial. We’re spending an enormous amount on security. We don’t have a lot of actuarial risk data. Imagine if you’re trying to manage healthcare without all of that rich body of healthcare data.”

“The Biden Administration could incentivize adoption of internationally recognized controls frameworks like IEC 62443 and NIST, both of which can be used to complement one another,” Megan Samford, chief product cyber security officer, Energy Management at Schneider Electric, tells CSO.

Another issue not addressed in the Biden plan is the importance of filling the cybersecurity skills gap. “Asset owners struggle with lack of cyber talent available on the market to help them secure their systems which are comprised of products from many vendors. Even if vendors supply secure products and systems, it becomes a system of systems challenge for integrators and owners and operators,” Samford says.