This year’s official actions on supply chain risk management are only the beginning of the collective changes needed to grapple with foreign cyber threats to the utility sector, industry insiders at the Energy Bar Association’s Fall Conference said Tuesday.
Those actions included President Trump’s declaration of emergency in May; information requests from the Department of Energy, NERC and FERC; and the new CIP-013-1 reliability standard that took effect earlier this month.
“Utilities are now at the cyber front lines of protecting national security,” said Robert Kang, a senior attorney for Southern California Edison, citing the intelligence community’s most recent Worldwide Threat Assessment that accused China, Russia and other countries of “using cyber operations … to disrupt critical infrastructure.”
“That means we, along with the government, have to step up our engaging. … In terms of presentations that I give to the C-suite or to the board of directors, I think that’s actually key,” he added.
Kang said government engagement with utilities has been accelerating in recent years in several key areas. The first is in support of efforts by utilities to reverse engineer grid equipment in search of components made by suppliers suspected of assisting with online espionage — for example, China’s Huawei and ZTE, which have both come under increased scrutiny from regulators and lawmakers. (See FERC, NERC Offer Cyber Supply Chain Guidance.)
Utilities are often prevented from performing such examinations themselves by supplier contracts that prohibit reverse engineering, but Congress provided a potential workaround for the issue in the National Defense Authorization Act of 2020, which authorized DOE to form a task force to examine critical equipment for suspect components with the help of the National Laboratories. Kang said that “a number of utilities … are really looking forward to seeing [the] task force get stood up.”
Communication Within Entities Essential
Kang said the government’s ability to issue binding edicts — not just laws, but also NERC’s reliability standards — can be another powerful form of assistance for utilities, as such requirements can force entities to make needed improvements they might otherwise be reluctant to perform because of cost or convenience issues.
Picking up this thread, Howard Gugel, NERC’s vice president of engineering and standards, admitted that while the organization had moved quickly to implement requirements for cybersecurity risk management, there is still a lot of work to make the topic central to the conversation.
“When we planned the system, we didn’t really think about what the cyber impacts … were, and also the [information technology] folks didn’t really think about [how] the stuff that they installed … could potentially impact the bulk electric system,” Gugel said. “[We’re starting] a conversation between the two groups to say [that] as we’re planning the system, we need to … understand what the cyber impacts could be, and also when we’re planning to do cyber installations, what could be the impact on the bulk electric system.”
Both Gugel and Kang encouraged listeners to expand their knowledge beyond their job descriptions — for example, lawyers to talk with technology specialists and vice versa. These conversations can not only build rapport between different parts of an organization but can also help both sides develop useful insights to help the entity overall.
Recovery Systems also Under Threat
From the government’s perspective, Patricia Hoffman, principal deputy assistant secretary in DOE’s Office of Electricity, said the department has seen promising signs that the industry is taking the cyber threat seriously. She warned utilities that maintaining a strong defense against state-backed attackers with considerable resources at their disposal will require thinking several moves ahead.
“They want to gain access and persistence. Then they want to be able to prepare the battle space … to put malware on your system, and then be able to … not only execute [an attack], but prevent your ability to recover,” Hoffman said. “So, we want to keep that in mind as you move forward, and think about [your] opportunities and responsibilities … as an entity in this sector.”