Despite DOE’s efforts, cybersecurity threats to US electric sector continue to evolve, needing more efforts to manage risk

December 1, 2022

The U.S. electric sector continues to be an attractive target for cyberattacks from adversaries and individual bad actors, such as insiders and cyber criminals. Nations and criminal groups pose the most significant cyber threats to U.S. critical infrastructure, according to the Director of National Intelligence’s 2022 Annual Threat Assessment. Additionally, ​​these hackers are increasingly capable of attacking the grid.

There have been a couple of identified points of vulnerability in the nation’s electricity grid system. For example, grid distribution systems have grown more vulnerable, in part because their operational technology (OT) increasingly allows remote access and connections to business networks. This could allow threat actors to access those systems and potentially disrupt operations.

These threats prevail as the U.S. Department of Energy (DOE) through its Office of Cybersecurity, Energy Security, and Emergency Response (CESER) advances research, development, and deployment of technologies, tools, and techniques to reduce risks to the critical energy infrastructure posed by cyber and other emerging threats. It also works on increasing the security, reliability, and resiliency of energy infrastructure, while building the energy sector’s day-to-day operational capabilities to share cyber-incident information, improving organizational and process-level cybersecurity posture, and performing cyber-incident response and recovery.

Puesh Kumar, director of CESER at US DOE
Puesh Kumar, director of CESER at US DOE

“Safeguarding America’s energy infrastructure is a top priority for the Department of Energy and a primary objective of the Office of Cybersecurity, Energy Security, and Emergency Response,” Puesh Kumar, director of CESER at the DOE, told Industrial Cyber. “It is incredibly important that while we transition to innovative and cleaner, more affordable energy sources that we invest in and build resources and systems that are inherently reliable, resilient, and secure.”

Kumar also pointed to the “increasing complexity of the energy sector and the ever-changing threat landscape demands that we double down on information sharing that results in actionable intelligence. We have made tremendous progress, creating opportunities for threat information sharing on all levels and between the public and private sectors, but there is more work to be done.”

In 2023 and beyond, “we will continue to develop initiatives and platforms that enable this critical work,” Kumar added.

As the lead federal agency for the energy sector, the DOE has developed plans to implement a national cybersecurity strategy for protecting the grid, the U.S. Government Accountability Office (GAO) disclosed last month. “However, we found that DOE’s plans do not fully incorporate the key characteristics of an effective national strategy. For example, the strategy does not include a complete assessment of all the cybersecurity risks to the grid. Addressing this vulnerability is so important that we made it a priority recommendation for DOE to address. We prioritize recommendations that need immediate attention,” it added.

Trend Micro identified in a recent analysis that the environment surrounding the electric power industry has changed significantly over the past ten years, leading to a pressing need to review the supply chain and entire system of the energy industry on a national scale. A stable supply of electricity supports many industries and lifestyles, including manufacturing, restaurants, transportation such as trains, and households. The impact of power supply instability and outages is more widespread than in other industries. Additionally, the modernization of power generation, transmission, and distribution systems is progressing, as cyber risks are simultaneously increasing.

The CESER has rolled out several methods and resources for stakeholders to protect the electric grid over the last couple of months. In July, it released version 2.1 (V2.1) of the Cybersecurity Capability Maturity Model (C2M2) tool to help electric infrastructure owners and operators identify and invest in security capabilities and practices critical to their operations. C2M2 is designed to guide the development of new and existing cybersecurity programs and to enable organizations to measure and improve their cybersecurity posture and optimize security investments.

CESER has also set up, funds, and leads a highly-selective education program called the OT Defender Fellowship. Offered by CESER, alongside the Idaho National Laboratory (INL), the OT Defender program provides its fellows with an exclusive, insider view of how the government functions.

Apart from the CESER resources, electric infrastructure owners and operators also have access to material released by the Cybersecurity and Infrastructure Security Agency (CISA). A couple of weeks back, the CISA released a set of cross-sector cybersecurity performance goals that are meant to instill consistency across all critical infrastructure sectors, including the energy sector. These goals provide a useful baseline set of cybersecurity practices to help critical infrastructure owners and operators reduce their risk exposure, on both the OT and IT sides of the house.

Industrial Cyber reached out to industry experts to suggest measures that the U.S. electric grid put into place to safeguard their infrastructure, in the wake of the European energy infrastructure proving vulnerable to cybersecurity attacks.

Robin Berthier, Co-Founder and CEO of Network Perception
Robin Berthier,
Co-Founder and CEO of Network Perception

“Important investments have been made to protect the U.S. electric grid from cybersecurity attacks,” Robin Berthier, CEO and co-founder at Network Perception, told Industrial Cyber. “First, the Cybersecurity & Infrastructure Security Agency (CISA) has launched the Shields Up program to reduce exposure, adopt best practices, and increase resiliency. Second, the North American Electrical Reliability Corporation (NERC) has been enforcing risk-based cybersecurity compliance standards to ensure that critical cyber assets are not directly connected to untrusted networks,” he added.

In the wake of recent threats, the recommendations are for electric utilities to continuously verify their network segmentation and to conduct frequent exercises to prepare for cyber incidents, Berthier added.

Paul Morgan, a cybersecurity professional in the U.S. electric sector, told Industrial Cyber that he would recommend that those charged with protecting the U.S. electric grid from cyber-attacks influence vendors to improve their security programs, develop a robust continuous monitoring program, and build their security architecture to allow emergency islanding of OT networks.

“In the United States, vendors who provide interconnected equipment for the grid hold a small monopoly through lock-in. Many components of the grid have been in place for decades and it is not possible to upgrade or replace small groups of these components with a competitor’s product without replacing all similar components,” Morgan said. “All components cannot be replaced at one time without causing an outage, and therefore the original vendors keep grid operators locked in to their products. Additionally, many of these vendors are small to medium niche businesses without the budget for expensive cybersecurity teams to protect their equipment. This can allow malicious actors to compromise critical infrastructure components before they are even purchased by electric companies.”

Paul Morgan, cybersecurity professional in US electric sector
Paul Morgan,
cybersecurity professional in US electric sector

Morgan added that the U.S. electric grid operators need to collectively influence these vendors to establish minimum supply chain cyber protections despite the vendor monopolies, and accept that the cost of doing business with these vendors will rise accordingly. “If free market influence is not successful, federal regulations would be advisable to ensure a minimum level of security in the critical infrastructure supply chain.”

“Ten years ago, having an air gap (no connection between OT and the internet) and strict physical security measures were seen as sufficient for protecting critical infrastructure. While air gaps are a strong control against attack, they also limit the ability of cyber programs to monitor the OT network for benign and malicious events,” according to Morgan. “Continuous Monitoring programs for OT networks require more resources and stricter attention than typical enterprise networks in order to prevent high impact threats.”

Morgan also pointed out how it is now common to monitor the OT network through connections to the electric company enterprise network. “This monitoring requires live data, and therefore an active flow of information between the OT and enterprise networks. In the event of an attack, these connections need to be designed to close – called network islanding – in order to insulate the OT network from attacks on or through the enterprise network. If the electric company has additional connections to the OT network for operation purposes, then closing these connections could cause operational impacts such as outages. These impacts need to be accounted for and controlled when developing security architecture for critical infrastructure networks,” he added.

A guiding force for the critical infrastructure sector has largely been the bipartisan Infrastructure Investment and Jobs Act (IIJA), also known as the Bipartisan Infrastructure Law (BIL), which places emphasis on ensuring the infrastructure built or improved with its funding is secure and resilient. With a US$1.2 trillion budget, the legislation works towards rebuilding America’s roads, bridges and rails, expanding access to clean drinking water, ensuring every American has access to high-speed internet, tackling the climate crisis, advancing environmental justice, and investing in communities that have too often been left behind.

Under section 40126 of the IIJA, the DOE Secretary may require submission prior to the issuance of the award or other funding, a cybersecurity plan that demonstrates the cybersecurity maturity of the recipient in the context of the project for which that award or other funding was provided. Additionally, the Secretary may establish a plan for maintaining and improving cybersecurity throughout the life of the proposed solution of the project.

In Section 40124, CESER was charged with creating a program to improve the cybersecurity posture of rural, municipal, and small utilities to enhance the cyber security posture of utilities across the country by helping them harden their systems, processes, and assets, including increasing workforce cybersecurity skills. CESER will work with its utility partners to understand their priorities and challenges and develop appropriate solutions that are future-proof.

Addressing how the U.S. electric sector keeps pace with the modernization of power generation, transmission, and distribution systems, while cyber risks are increasing at the same time, Berthier said that “the digitalization of our industrial infrastructure including the electric grid has been significantly enlarging the attack surface that we have to protect. In addition, the level of sophistication seen in recent cybersecurity attacks is unprecedented.”

The US electric sector has started a journey to become cyber resilient, according to Berthier. “This means to architect their environment and cybersecurity solutions to keep critical operations running despite being under threat. They have invested in improving visibility and understanding, defense in depth techniques, and following a strict principle of least privilege,” he added.

“Many electric companies are modernizing their cybersecurity programs through the adoption of risk frameworks such as the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) or the Center for Internet Security (CIS) benchmarks,” Morgan said. “Consistently implementing the recommendations of these frameworks has helped increase the effort required to attack electric communications networks. However, these measures only moderately protect electric systems from nation-state actors who have both the capability and motive to attack national grids of their adversaries.”

Morgan added that to combat this the U.S. electric sector has been a champion for advancements in cybersecurity defense tactics by actively contributing to working groups for new standards, regulations, and technologies. “For example, the electric industry contributed greatly to the Institute of Electrical and Electronics Engineers (IEEE) 2030.5 standards to ensure that power generation can be increasingly democratized while minimally affecting grid cybersecurity.”

“The electric sector works cooperatively with regulatory commissions, such as Federal Energy Regulator Commission (FERC) to share lessons learned and turn those lessons into protections across all three U.S. electric grids,” according to Morgan. “The electric sector works diligently to develop and improve technologies such as the secure Inter-Control Center Communications Protocol (ICCP) and microgrids which provide redundancy for electric systems in small areas even if the grid is unavailable,” he added.

In terms of cybersecurity, it is important to take stock of the progress the U.S. electric sector made in 2022. One of the greatest drivers of progress that the electric sector has been improved information sharing. This year, one of CESER’s signature achievements was launching the Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance (RMUC) Program. Through the program, CESER will provide $250 million of BIL funding over five years to help rural, municipal, and small investor-owned electric utilities improve their cybersecurity posture and increase their participation in threat information-sharing programs.

“One of the major progress made this year by the US electric sector has been the deployment of technology and the development of playbooks to better protect against ransomware,” Berthier said. “We have seen the number of ransomware attacks impacting critical infrastructure declining for the first time, which is a great milestone. Important initiatives have also been launched to better protect against the risk of supply chain attacks.”

Berthier added that the recent Executive Order (14028) has pushed the government and the private sector to define guidelines and best practices for the software supply chain, including the provisioning and verification of software bill of materials.

“As we head into 2023, the key challenge will be to operationalize those guidelines at scale for a wide variety of stakeholders,” he added.

Morgan said that 2022 has been a big year for advancing the security of distributed energy resources (DER) which has posed a threat to either the grid cybersecurity or the country’s ability to produce clean energy. “DERs are small power generators – typically solar, wind, and battery storage – which sell electricity to grid operators in small quantities individually, but large amounts in aggregate. Each of these DERs are small to medium businesses which do not have large budgets for cybersecurity,” he added.

However, the US electric sector has worked collaboratively to develop processes and standards to allow for these DERs to connect to the grid without introducing significant new risks, according to Morgan.

Morgan said that in 2023, the rising volume of electric vehicles poses new cybersecurity threats that need to be addressed. “How do we protect the privacy of customers as they connect their vehicles to the grid? How do we supply these smart charging stations with electricity while not increased the number of attack vectors to the grid? Is it possible to overload sectors of the US grid through distributed attacks on charging stations?” he added.

The DOE will work on improving energy sector cybersecurity ​​by increasing the overall cyber resilience of the grid by addressing critical cyber vulnerabilities prior to adversary exploitation through a multi-faceted approach that includes applying classified threat intelligence, illuminating systemic cyber supply chain risks, cyber vulnerability testing, and forensic analyses, and engineering out cyber risks. These efforts will be carried out in close partnership with asset owners and manufacturers across the energy sector industrial base.

“By September 30, 2022, analyze no less than 10% of critical components in energy sector systems; and expand manufacturers participating in the voluntary Energy Cyber Sense program to cover no less than 15% of the market share of critical components,” Fowad Muneer and Cherylene Caddy, Goal Leaders wrote in a post on the Performance.gov website, a window into the performance of the federal government. “Drive down overall cycle time for critical vulnerability discovery to mitigation to notification of impacted asset owners by at least 10%, compared to a 2021 baseline.”

“By September 30, 2023, analyze no less than 15% of critical components in energy sector systems; and expand manufacturers participating in the program to cover no less than 30% of the market share of critical components,” they added.

Identifying the potential key drivers of improving cybersecurity in the U.S. electric sector in 2023, Berthier said that “we are still seeing important gaps related to network visibility and verifying that networks are correctly segmented.”

“A key driver for organizations in 2023 will be to understand that they not only have to monitor network traffic in their operational technology networks, but they also have to model what their network is capable of,” according to Berthier. “This means going beyond deploying access control lists to actually analyze network paths and precisely measure asset exposure, the presence of remote connectivity, and the attack surface they have to protect,” he added.

Morgan said that today, and in 2023, there remain holdouts in the U.S. electric sector who are lagging behind in modernizing their cybersecurity programs. “Each new large attack on electric grids around the world provides new vigor to these holdouts to not only modernize but to also join the conversation on advancing cybersecurity defenses for the grid as a whole,” he added.

The Colonial Pipeline attack may have been focused on gas distribution, but both the attack and the U.S. response to the attack provide valuable lessons for the U.S. electric sector and hopefully motivation for electric grid operators to improve their security posture, Morgan concluded.

Source: Industrial Cyber, Anna Riberio