It’s no secret that the U.S. power grid is one of the main foundations of the nation’s economy, infrastructure, and daily way of life. Now that almost everything is digitized, it is hinging on it even more. We wouldn’t be able to use even most vending machines (not to mention cell towers or the internet) without a working electrical supply, and the importance of keeping it safe cannot be understated.
Thankfully, a lot of positive changes have already been made. More remains to be done. As the issue is one of national concern – and yet still involves private power companies – the solution needs to come from both sides.
Let’s take a look at what has been done so far and what remains to be done in 2023. The good news is that organizations don’t have to wait for gaps in legislation to be filled. By being smart about where the gaps are, they can build out their own defenses to stay ahead of the game and away from this year’s emerging threats.
What has been done already?
In the wake of domestic and international threats, the federal government and related entities have turned a brighter spotlight on the cybersecurity of the U.S. power grid in the past few years. Last May, the Executive Order was famously signed, which focused on improving the nation’s cybersecurity, particularly requiring federal agencies and those connected with them to develop zero-trust architecture.
Several months before, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 was passed, and shortly after that, CISA created the regulatory process to adopt the inherent reporting requirements.
Last year also saw the release of version 2.1 of the Cybersecurity Capability Maturity Model (C2M2) tool to help electric infrastructure owners invest in ongoing cyber defenses. These followed on the heels of the E.O. on Securing Bulk Power Systems of 2020 and the Department of Energy level setting before that.
Most recently, the Federal Energy Regulatory Commission (FERC) issued a Cybersecurity NOPR, which offered financial incentives to power companies investing in cybersecurity architecture and solutions.
Needless to say, last year was a landmark year for grid security.
How much further do we need to go?
Despite the significant advancements, the work is far from over. On the one hand, the risks are rising:
- Grid distributions have grown increasingly vulnerable
- Old O.T. continues to mix with new I.T., sharing vulnerabilities
- Ransomware attackers grow bolder as they target critical infrastructure
- Nation-state conflicts continue to escalate into real-world cyberwarfare
- The move to Green Energy threatens to destabilize the grid during transition
And some say the regulations in place still don’t go far enough. Trend Micro identified a significant change in the environment surrounding the U.S. power grid over the past decade, which necessitates the need for a fresh look at the security of the electric supply chain.
Additionally, the U.S. Government Accountability Office (GAO) also believed that the current FERC regulations fall short. They note, “[We] found that DOE’s plans do not fully incorporate the key characteristics of an effective national strategy. For example, the strategy does not include a complete assessment of all the cybersecurity risks to the grid. Addressing this vulnerability is so important that we made it a priority recommendation for DOE to address. We prioritize recommendations that need immediate attention.”
Lawmakers are calling for further reform, and U.S. Congressman John Kato noted how the way forward was through increased cooperation between the public and private sectors. Said Kato, “I think we need to continue with the collaborative effort we’re developing with the private sector and CISA, information coming in, taking that information, operationalizing it, and then sending it back out in a better way and form.” This symbiotic relationship was encouraged by the senator as he put forth a bill late last year that would identify “systemically important critical infrastructure.”
Rising risks and point-in-time leave a gap in overall grid security. The only way to fill it is with agility, found often only in the private sector.
However, not all cybersecurity vendors are created equal. It often takes someone with deep industry experience to be able to negotiate the specific security challenges inherent in that sector and bring the right solutions, strategies, and tested techniques to the table.
About the Author:
Michael Sanchez, CEO (CISA), has over 35 years of experience in information technology, cybersecurity, physical security, risk, compliance, and audit. He is the former head of Commercial Cybersecurity and Compliance for a large global management consulting firm and is experienced in successfully scoping and advising on projects of all sizes and complexity. In other past roles, Michael managed IT and OT for a $12-billion energy corporation, assisted in the IT rebuild and redesign for a large power generation company, and served for 12 years as a board member for FBI InfraGard Houston, helping to facilitate the sharing of information related to domestic physical and cyber threats. He currently serves on two ASIS International steering committees (Utilities Security and Critical Infrastructure) and is a member of the Forbes Technology Council.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.