By Rich Heidorn Jr.

FERC should stop issuing new cybersecurity standards to allow the electric industry to develop innovative defenses to vulnerable industrial control systems — and the National Guard should be ready to respond if an attack succeeds, witnesses told the Senate Energy and Natural Resources Committee on Thursday.

The panel heard from Assistant Energy Secretary Bruce Walker, a former National Security Agency cyber sleuth, the CEO of the National Rural Electric Cooperative Association (NRECA) and two academics in a nearly two-hour hearing. Chairman Lisa Murkowski (R-Alaska) opened the hearing by asking for advice on what Congress should do after giving FERC the power to issue mandatory reliability standards (in the Energy Policy Act of 2005) and making the Department of Energy the federal agency in charge of responding to attacks on the grid (in the 2015 Fixing America’s Surface Transportation Act).

Robert M. Lee, who founded industrial cybersecurity company Dragos with two other former NSA experts on industrial threats, told the committee that the critical infrastructure protection (CIP) standards mandated by FERC through NERC had made “the North American Bulk Electric System the most resilient and well defended in the world.”

But he said FERC and NERC should not issue any new CIP regulations for three to four years. “This would allow companies to catch up with the current regulations … [and] allow the electric asset owner and operator community to spend a period of time innovating and thinking of new best practices informed by experience. At the end of this period DOE, FERC, NERC and the regulated community can then identify best practices and determine if new regulations are appropriate,” he said.

“If this recommendation is not palatable, then I would propose an alternative where the regulations are focused instead on program building, such as regulating that a company implement a threat intelligence program, instead of performance-based auditing,” he continued. “This would satisfy the potential desire to move regulations forward while allowing the electric community to develop their own ways forward inside of those programmatic bounds.”

The problem, Lee said, is that “regulations and standards are the trailing end of best practices and only serve as a base level of security. They are not, nor would any regulation be, adequate in the face of determined adversaries. Malware and vulnerabilities are not the threat. The threat is the human adversary, and we cannot regulate them away.”

OT is not IT

Lee and other witnesses emphasized the differences between attacks on utilities’ information technology systems and those on operational technology systems such as supervisory control and data acquisition (SCADA).

“Fortunately, the successful attacks to date have largely been concentrated on utility business systems, as opposed to monitoring and control systems, in part because the operational technology systems have fewer attack surfaces, fewer users with more limited privileges, greater use of encryption, and more use of analog technology,” said professor William H. Sanders, head of the Department of Electrical and Computer Engineering at the University of Illinois at Urbana-Champaign. “However, there is a substantial and growing risk of a successful breach of operational technology systems, and the potential impacts of such a breach could be significant.”

Walker, who heads DOE’s Office of Electricity Delivery and Energy Reliability, also made the distinction. “Power systems must operate continuously with high reliability and availability. Upgrades and patches can be difficult and time-consuming, with components dispersed over wide geographic regions,” he said. “Further, many assets are in publicly accessible areas where they can be subject to physical tampering. Real-time operations are imperative, and latency is unacceptable for many applications. Immediate emergency response capability is mandatory and active scanning of the network can be difficult.”

New DOE Cyber Office

Last month, DOE announced it was merging its Infrastructure Security and Energy Restoration (ISER) division and Cybersecurity and Emerging Threats Research and Development (CET R&D) division into the Office of Cybersecurity, Energy Security and Emergency Response (CESER).

Walker said CESER “will enable more coordinated preparedness and response to cyber and physical threats and natural disasters. This must include electricity delivery, oil and natural gas infrastructure, and all forms of generation.”

President Trump has requested $95 million in fiscal 2019 for the office “with a focus on early stage activities that improve cybersecurity and resilience to harden and evolve critical grid infrastructure,” Walker said. “These activities include early stage R&D at national laboratories to develop the next generation of cybersecurity control systems, components and devices including a greater ability to share time-critical data with industry to detect, prevent and recover from cyber events.”

Acts of War

Jim Matheson, CEO of the National Rural Electric Cooperative Association (NRECA) and a former congressman (D-Utah), decried “far-fetched scenarios [and] sensationalized claims” about the risks to the grid.

“The scenarios most publicized are rarely reflective of the real threat environment and disproportionately emphasize the highest consequence scenarios that are the least likely to occur,” he said. “Many of the more dramatic scenarios would constitute acts of war on the United States and would directly impact more than just the electric sector.”

No Cyber Fire Departments

Such an event would call for the National Guard, said Barbara Endicott-Popovsky, executive director of the Center for Information Assurance and Cybersecurity at the University of Washington.

Endicott-Popovsky said Congress should pass a bill that would establish National Guard Cyber Civil Support Teams of up to 10 members in every state and territory to serve as first responders following an attack and bridge the gap between federal and non-federal efforts. The cyber CSTs would be under the direction of governors and state adjutant generals, under legislation (H.R.3712) introduced last September in the House of Representatives and referred to the Subcommittee on Military Personnel in October. The bill is modeled after a program created by the Washington National Guard.

“Civilians are used to calling 911 for emergencies of all kinds, but who do you call in the event of a major cyber outage? There are no cyber fire departments,” she said. “The [Department of Defense] is prepared to defend their own networks to support their missions, but who will step in on the civilian and private sector sides to restore power, to assist with maintaining our communities? There is no one. This vacuum is a national security threat.

“Public and private, we have two very different missions: The mission of the military is to protect the Homeland, and the mission of private sector to innovate and maintain profitability for the board and shareholders,” she continued. “Blending missions is not an easy task, but the time has come where the cost of not integrating resources significantly outweighs the benefits of maintaining independent response plans. This is especially true given the workforce shortage of cyber specialists.”

Endicott-Popovsky said it will take a national effort comparable to NASA’s goal of landing on the moon to fill the shortage of cyber talent. “While cybersecurity education has been called a national priority by some, there still are hundreds of thousands of cybersecurity jobs going unfilled, and the gap will take a long time to close,” she said.

The good news: Cybersecurity is becoming a profession, with 32 distinct career paths identified under the National Initiative for Cybersecurity Education (NICE) framework, she said.

How Congress Can Help

In response to Murkowski’s question about Congress’ next steps, Matheson called for more timely information sharing by government after incidents such as the December 2015 attack on Ukraine’s grid.

He also called for legislation allowing the FBI to conduct background checks on utility industry personnel performing critical functions, continued funding for R&D and aid to small and medium utilities for improving their security.

Illinois’ Sanders said DOE, the Department of Homeland Security and researchers should focus their R&D and demonstration projects on developing six capabilities: “continuous data collection, fusion of sensor data, visualization, analytics, restoration and post-event tools.”

“These capabilities can be achieved only if academia, industry and government work closely together in a focused research and development program,” he said.