The COVID-19 pandemic has helped shine an unexpected spotlight on the need for cybersecurity best practices, but maintaining that awareness once the crisis has passed could be a challenge, according to members of the government-sponsored Cyberspace Solarium Commission.

Speaking to state utility commissioners in a webinar April 24, two members of the commission — Southern Co. CEO Tom Fanning and former National Security Agency Deputy Director Chris Inglis — shared several recommendations from the group’s report issued earlier this year. Participants told ERO Insider that while the report itself focused primarily on the federal government’s role in cybersecurity preparedness, the industry representatives on the commission felt its recommendations should be shared with a wider range of players.

“I asked Chris and Tom, what [would they] want the state commissioners to be doing with this?” said Richard Mroz, a senior adviser to Protect Our Power and former president of the New Jersey Board of Public Utilities, who moderated the webinar. “And it was, first and foremost, to … go to the companies they regulate and ask them what they think of those recommendations, whether it’s an identification of those systemic, critical infrastructure operations, or … certifying all the way up to the C-suite that there’s responsibility and oversight of [their] cybersecurity practices.”

Multiple Avenues for Defense

Congress last year formed the Solarium Commission — a bipartisan group of members of Congress, former government officials and industry representatives — to “develop a consensus on a strategic approach to defending the United States in cyberspace.” The report returned more than 75 recommendations oriented around a strategy of “layered cyber deterrence” designed to “reduce the probability and impact of cyberattacks of significant consequence.”

Layered deterrence is a three-step process consisting of:

• • • Shaping behavior — working with allies and partners to promote responsible behavior in cyberspace;
    • Denying benefits — securing critical networks so that attackers who gain access will be unable to cause damage; and
    • Imposing costs — maintaining the ability to retaliate against actors targeting the U.S.

To meet these broad goals, the commission identified six key pillars for the federal government: reforming the government’s structure and organization for cyberspace; strengthening norms and nonmilitary tools; promoting national resilience; reshaping the cyber ecosystem toward greater security; stepping up collaboration with the private sector on cybersecurity; and developing the military’s cybersecurity capabilities.

Electric utilities are identified in the report through recommendations centered on “critical functions” that depend on a reliable power supply. The commission called for Congress to consult with the private sector on how to ensure continuous operation of such functions, while also identifying entities responsible for systemically critical systems and assets — to ensure both that they have the full support of the U.S. government and that they meet a satisfactory level of security performance.

COVID-19 Presents Cyber Challenges

While the report was drafted before the emergence of the coronavirus as a national threat, commission members believe the current crisis may help to drive home the importance of cybersecurity in critical infrastructure sectors, as well as to state and federal officials.

“The commission’s report makes clear the need for the federal government to invest more in private sector resilience in order to prevent or mitigate a potential disruption,” said John Costello, a senior director with the commission. “I think it’s validated by the COVID crisis in terms of highlighting how a systemic disruption to our economy could unfold, and the need for the government and private sector to be prepared to meet it.”

Cybersecurity has been identified as a significant concern for a number of industries, including electricity, because of the larger-than-usual number of people using online services to work from home. NERC’s Pandemic Preparedness and Operational Assessment — Spring 2020, issued last week, reminded industry that the remote work force represented a “new attack vector” and to be “hyper vigilant.” (See PPE, Testing Top Coronavirus Concerns for NERC.)

Solarium team members hope that as utilities work to address these near-term concerns, government can build a national foundation to develop and spread cybersecurity best practices. The commission’s recommendations in this regard revolve around the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), which it urged Congress to empower as the lead agency for federal cybersecurity efforts.

“We want working at CISA to become so appealing to young professionals interested in national service that it competes with the NSA, the FBI, Google and Facebook for top-level talent (and wins),” the Solarium Commission’s co-chairs, Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wis.), said in the report.

Push for Public Utilities

Another area of focus for the commission was assisting utilities that understand the need for cybersecurity but may lack the financial flexibility for the major, ongoing efforts needed in a quickly changing threat landscape. Federal agencies can play an important role in establishing shared resources and other tools for these entities to draw on, as well as helping them build their internal capabilities.

“For the most part, utility companies run on small margins. A lot of them are publicly owned. That means they don’t have much wiggle room in terms of their budget and investments in cybersecurity,” Costello said. “There’s a few things that the government can do to help. … One would be to augment and subsidize their security operations through programs and funding, and the report really tried to strengthen those areas of government assistance.”

While participants in last week’s briefing were optimistic about the determination of government and industry leaders to strengthen their cyber defenses, they warned against becoming complacent once the immediate danger has passed and utilities are able to move toward normal operations. Ironically, the industry’s success in keeping vital electricity systems running even in crisis conditions could lead members of the public to conclude that no changes are needed, in turn reducing the likelihood of political pressure forcing utilities to stay on top of their security practices.

“We can still teach and learn online; you can do your banking online; you can even get to your supermarket, and the refrigeration systems are still working,” Mroz said. “But that’s what I hope people don’t take for granted. And I think exactly what the commission was saying is that we need to be vigilant … and keep the focus on how you ensure that those threats aren’t realized and take down our way of life.”