QUEBEC CITY — Speaking at the first panel of the Electricity Information Sharing and Analysis Center’s annual GridSecCon security conference in Quebec City, NERC CEO Jim Robb said that the Cybersecurity and Infrastructure Security Agency’s (CISA) Shields Up initiative, implemented prior to Russia’s invasion of Ukraine in 2022, has done a lot “to make cybersecurity accessible” to workers in the electric industry.
However, he added that the initiative also had “created a real problem,” raising the question: How long can the industry be expected to maintain the vigilance that the name implies?
“This industry typically keeps its shields up at all times. And at some point you’ve got to ask yourself, ‘When can we lower them?’ Well, we’ve never lowered them, right?” Robb said. “So I think one of the real challenges here is, how do you sustain the intensity, dealing with the very real fatigue that results from that intensity, and keep your cyber defenses fresh?”
The challenge is exacerbated by the fact that the cyber struggle is “just not a fair fight,” with owners and operators of electric infrastructure — predominately private companies — having to stand against adversaries that include actors backed by nation-states like Russia and China, along with financially motivated criminals. For the industry to resist such opponents, Robb said, its members must be able to rely on “extraordinary collaboration” with their peers and the government.
Robb’s fellow panelists, representing the public and private sector in both the U.S. and Canada, agreed that mutual support is key to building cyber resilience. This also is true outside the power industry. Nitin Natarajan, CISA’s deputy director, described a symposium the agency recently held with emergency responders in the Northeast U.S. to educate them about introducing cybersecurity into their communications.
Adding to Robb’s point about the evolving cyber threat landscape, Natarajan pointed out that ransomware attacks have become easier than ever because of the rise of the ransomware-as-a-service model, in which a core group develops and operates a ransomware package while recruiting affiliates to hack into networks and deploy the app. Groups using this model include DarkSide, which federal officials believe was behind the attack on Colonial Pipeline in 2021. (See Colonial CEO Welcomes Federal Cyber Assistance.)
“You no longer need to start up your own cyber terrorist organization to attack somebody; you can hire somebody to do it for you,” Natarajan said. “If you have Bitcoin and you have an enemy, you can attack somebody today.”
Panelists agreed that because the Canadian and U.S. electric grids are fully integrated, collaboration also must extend across international borders. Rajiv Gupta, associate head of the Canadian Centre for Cyber Security, said Canada’s government is working hard to establish a tough regulatory regime around cybersecurity.
The Critical Cyber Systems Protection Act (CCSPA), part of a major bill making its way through Parliament, is an important step toward ensuring cybersecurity within critical industries, Gupta said. The bill would create a “comprehensive regulatory framework” governing cyber systems in Canada’s critical infrastructure, giving the government the power to review and intervene in cyber compliance and operational situations.
While Gupta and the other panelists applauded CCSPA, they also said it is only “a step in the [right] direction,” acknowledging that more effort will be needed to ensure smaller utilities as well as larger ones can respond to the new requirements.
“The organizations with more money have very different cybersecurity postures than the smaller ones,” Gupta said. “And we have to make sure to close that gap between large and small, because … getting that harmonization, not just across standards and countries and organizations, but also addressing disparities between well-funded organizations and lesser-funded [ones] is super important as well.”