With less than 8 weeks until a new administration takes over in Washington, the clock is running out for the Energy Department to deliver one of President Trump’s most public and far-reaching efforts to protect grid security.
Aimed at protecting the U.S. electric grid from equipment sourced from countries like Russia and China, Trump’s May 1 executive order on bulk power system security tasked DOE with carrying out what could be one of the administration’s last major cyber policies — if the agency can finish a pared-down rule that focuses on U.S. military facilities.
Cybersecurity experts and grid officials say the order — and DOE’s response — highlights thorny security challenges for U.S. defense installations that will continue to vex President-elect Joe Biden’s administration.
DOE is “woefully under-resourced for this huge strategic challenge” of protecting defense-critical grids, said Charles “Chuck” Kosak, deputy assistant secretary for DOE’s Office of Electricity, at an Electricity Advisory Committee meeting held before the presidential election. “I think the U.S. government is grappling with this challenge going forward.”
Trump instructed DOE to work alongside agencies such as the Defense Department, the Office of Management and Budget, and the Department of Homeland Security to prevent “sabotage” of key grid components by “malicious cyber activities.” DOE officials have narrowed the focus from the entire bulk power system to the supply chain for grids that provide electricity to military facilities in the U.S. and its territories (Energywire, Oct. 13).
If the rulemaking is not released before Jan. 20, some industry experts say the next White House will likely pick up the thread at DOE and at the Federal Energy Regulatory Commission, as grid cybersecurity is widely considered a nonpartisan topic.
“Expect a Biden administration to fully enforce the E.O., ensure increased oversight from DHS and DOE, and for the new administration to continue the crackdown on cyber risk in the energy sector and continue the trend we’ve seen in FERC over the last four years,” said Norma Krayem, vice president and chair of Van Scoyoc Associates’ cybersecurity, privacy and digital innovation practice group.
DOE officials have said they expect to release the rule this fall. But in the nearly seven months since Trump’s order, the federal response has been plagued by missing deadlines and a skeptical utility industry wary of a disruptive government ban on foreign-made equipment.
The completion of the ruling also comes as a key DOE office involved in the order has recently had drastic leadership changes.
Alexander Gates, head of Cybersecurity, Energy Security and Emergency Response (CESER), was replaced by Nicholas Andersen as the new principal deputy assistant secretary earlier this month, in a move that surprised some cybersecurity experts (Energywire, Nov. 16). Trump also announced that Sean Plankey, who played a significant part in the order as principal deputy assistant secretary, was leaving CESER for DHS’ cyber office in October (Energywire, Oct. 8). However, questions surrounding Plankey’s security clearance may be holding up the process, Cyberscoop reported, and Plankey is currently a senior adviser for DOE.
The White House, DOE and DOD did not respond to requests for comment.
Richard White, adjunct professor of cybersecurity information assurance at the University of Maryland Global Campus, said that with the change of administration, “the timeline to get the [rule] execution started, and then ultimately completed, will be elongated.”
Adding fuel to the fire is the rapidly changing nature of cybersecurity threats to the grid. Paul Stockton, former assistant secretary of Defense for homeland defense, said that although there have been significant improvements in protecting U.S. electric facilities, nation-backed hacking threats to the grid are ramping up “at least as quickly.”
“The electric industry is making terrific progress in partnership with DOE, but the threat continues to intensify,” said Stockton.
The worry is that hostile nations could attack vulnerable points in U.S. military bases, such as the power grids that support DOD operations. China, for example, could pinpoint electric grids at military bases in U.S. territories in the Pacific Ocean in the event of an escalating conflict in the disputed South China Sea, experts warn.
The National Counterintelligence Strategy said early this year that “adversaries are conducting intelligence operations to exploit, disrupt, and damage U.S. and allied critical infrastructure and military capabilities during a crisis.”
Funding, bureaucratic hurdles
In 2015, Congress entrusted DOE and DOD with identifying “defense critical electric infrastructure” (DCEI) facilities as part of the Fixing America’s Surface Transportation Act.
Kosak said the list is not “hundreds of facilities” but “a number that is, in our mind, manageable going forward.” While the exact number is not publicly known, the designations are limited to U.S. states and territories, according to a presentation at the Oct. 14 Electricity Advisory Committee meeting.
Still, protecting the sites is a large operation that involves a slew of different agencies, grid regulators, operators and private companies that manage and support the flow of electricity into U.S. military installations.
Many of the utilities that provide power to defense stations are smaller and have fewer resources to beef up their cybersecurity.
“If it needs to be paid for through cost recovery efforts, you need a regulator, so FERC is going to have to be involved in this,” said Richard Mroz, a senior adviser to the Protect Our Power grid security advocacy group and former president of the New Jersey Board of Public Utilities. “At some level, the state commission needs to be involved if it’s a distribution utility helping and supporting and being the supplier to these facilities.”
Each defense site has unique needs, and some may even be made more independent or “islanded” from the wider grid, Mroz said.
Delia Patterson, the American Public Power Association’s senior vice president for advocacy and communication, said in a statement that “DCEI is a shared responsibility between industry and government.” Federal authorities need to “deliver the expertise and funding to make improvements” to make protecting these grids a national priority, she said.
“DOD, including the local DCEI facility, as well as DOE, can also advise on things like construction standards and opportunities for mitigation of potential threats,” Patterson said.
A recent report by Moody’s Investors Service found that, on average, municipal power providers and rural electric cooperatives have “weaker cybersecurity practices” than their investor-owned peers (Energywire, Nov. 5).
“We need to find ways of ensuring that smaller utilities — whether they’re public power utilities or rural cooperatives or smaller investor-owned utilities — have access to the resources they need in order to help strengthen DCEI,” said Stockton.
There are other obstacles to finding the right path for funding, Stockton said. Existing reliability tools aren’t up to the job of weighing the costs and benefits for grid cyberdefenses, he said. Other critical infrastructure sectors rely on electricity, so attacks against defense-critical grids would likely have a rippling impact on ports, airports, telecommunication systems and water systems.
“We can predict the likelihood of severe storm surges based on historical data and projections of future events, but no equivalent exists for the risk of nation-state [cyber] attacks on the United States,” Stockton said.
The U.S. isn’t known to have suffered a significant cyberattack on the power grid, but there is a growing concern that nation-state actors, specifically China, are rapidly developing the capability to do so. DHS released a recent Homeland Threat Assessment saying that “China possesses an increasing ability to threaten and potentially disrupt U.S. critical infrastructure.”
DHS’s Cybersecurity and Infrastructure Security Agency and the National Security Agency released a separate warning over the summer that Russian-backed hackers are targeting internet-accessible operational technologies like the ones managing the power grid (Energywire, July 28).