Security and Resilience (Cyber and Physical)

Report details cyber capability gaps, offers recommendations

A report released on May 30 and prepared by the Department of Energy, other federal agencies and power industry stakeholders examines electricity disruptions with emphasis on cyber incidents and details existing gaps. The report breaks out those gaps into several categories, including public-private cybersecurity information sharing, and offers a series of related suggestions for the federal government and industry to consider.

President Trump in 2017 issued Section (e) of Executive Order 13800 on “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.”

The executive order called for an assessment of the potential scope and duration of a prolonged power outage associated with a significant cyber incident, as well as an evaluation of the readiness and gaps in the United States’ ability to manage and mitigate consequences of a cyber incident against the electric subsector.

The Departments of Energy and Homeland Security partnered with other federal agencies and electric industry stakeholders from across the United States to conduct the analysis required under the executive order. 

While it was found that no lasting damage—physical, cyber-physical, or otherwise—has been observed from the cyberattacks and intrusions targeting U.S. electric utilities that have been reported to date there are key trends that are increasing the risk of significant cyber incidents, the DOE noted.

The report released May 30, identifies gaps around enhancing cyber incident response capacity, developing high-priority plans, augmenting scarce and critical resources, and understanding and characterizing response efforts to catastrophic incidents.

Existing capability gaps

Existing capability gaps fall largely into seven main categories: (1) Cyber Situational Awareness and Incident Impact Analysis; (2) Roles and Responsibilities under Cyber Response Frameworks; (3) Cybersecurity Integration into State Energy Assurance Planning; (4) Electric Cybersecurity Workforce and Expertise; (5) Supply Chain and Trusted Partners; (6) Public-Private Cybersecurity Information Sharing; and (7) Resources for National Cybersecurity Preparedness.

The report includes a series of suggestions for each of these seven categories.

Public-private cybersecurity information sharing

The report said that the 2016 National Preparedness Report shows the importance of cybersecurity information sharing between the public and private sectors, particularly in increasingly targeted industries.

“The ability of all whole community partners to ensure effective cybersecurity information sharing through the bidirectional flow of information and intelligence between industry and government has been highlighted by all stakeholders as a continued challenge for the electricity subsector,” the report said.

It said that the ability to ascertain impacts during a cyber incident will likely be challenged by competing mandates among different industry and government entities and difficulty in sharing cyber information. “Once information is available, barriers to sharing between government entities covering different jurisdictions and between government and industry threaten to reduce the ability of responding organizations to efficiently deploy resources. Bidirectional flow of information between the public and private sectors is impeded by the slow adoption of automated capabilities, while sharing classified information from government to industry in real time during a disaster remains a challenge.”

Industry and government, in partnership with Information Sharing and Analysis Centers, could benefit from further clarity in roles, responsibilities, functions and objectives, expanded data sources, as well as improved information sharing capabilities, the report said.

It offers several suggestions for overcoming public-private cybersecurity information sharing including, among other things:

  • The DOE should work with DHS, industry partners, and other relevant organizations to better define information needs and reporting thresholds through an assessment of voluntary and mandatory reporting requirements, such as the Electric Emergency Incident and Disturbance Report and NERC Reliability Standard EOP-004-2, as they relate to cyber incidents;
  • Government, academia, and industry should improve tools for sector sourced intelligence and automated information sharing by scaling-up integration of machine-to-machine communication and artificial intelligence;
  • The Critical Infrastructure Partner Advisory Council (CIPAC) should be leveraged to establish a cross-sector, executive level, public-private mechanism to increase focus on risk mitigation; and
  • The DOE should develop a program for active protection of sensitive information, such as a robust critical electric infrastructure information, “with appropriate confirmations of protection at federal and state levels that enables industry to enhance sharing with government in an environment separated from regulatory compliance.” 

Cyber situational awareness and incident impact analysis

The report said that existing capabilities for assessing potential consequence and impacts from cyber related disruptions and sharing relevant situational awareness in a timely and coordinated manner across sectors are often unable to provide the detail needed to better inform government executives, regulators, and utilities of potential risks, particularly of long term events. It notes that the electric subsector is interdependent with many other aspects of critical infrastructure, and actor capabilities from one sector can be translated to other sectors.

An increased situational awareness and incident impact analysis capability should be developed to leverage existing cybersecurity authorities and existing capabilities from across DOE national laboratories to provide modeling, analysis, and near real-time cybersecurity awareness of critical U.S. infrastructure, the report said.

Suggestions for improving cybersecurity impact analysis and capability gaps in the electricity subsector detailed in the report include, among other things:

  • DOE, in collaboration with relevant partners, should conduct impact analyses to clarify and inform potential electric system costs related to cybersecurity that utilities can use to better inform investment decisions to secure the grid;
  • DOE, DHS, and the U.S. Army Corps of Engineers should assess the sufficiency of data on industry back-up power to improve planning and modeling; and
  • DOE, in coordination with DHS, should develop a program to continuously assess situational awareness information using subject matter experts in both cybersecurity and electricity to add context such as potential scope and duration of a significant cyber incident and impacts to cross-sector critical infrastructure systems.

Roles and responsibilities under cyber response frameworks

The report also includes suggestions for increasing clarity on the roles and responsibilities under cyber response frameworks.

One suggestion is for the federal government to codify relationships with industry to expedite technical assistance during response and clearly establish expectations for federal resources. Another suggestion calls for the DOE to develop a team of cybersecurity experts with the requisite combination of technical knowledge in electricity and cybersecurity to complement direct assistance from DHS and other federal departments.

Cybersecurity integration into state energy assurance planning

In the area of cybersecurity integration into state energy assurance planning, the report suggests that states take several actions. “States should work with DOE, DHS and industry partners to ensure that energy assurance plans align with industry efforts, as well as federal and state response structures,” the report said.

 Also, states should identify their exposure to impacts from events beyond their borders through analysis of potential vulnerabilities to regional energy supply chain impacts and ensure that energy assurance plans include the integration of cyber information sharing mechanisms such as the Multi-State ISAC (Information Sharing and Analysis Center).

The report, which also includes suggestions in the areas of electric cybersecurity workforce and expertise, supply chain and trusted partners and resources for national cybersecurity preparedness, is available here.