Energy Department Cooperates with States on Cyberattacks
In March, a Utah-based renewable energy company became the target of a first-of-its-kind cyberattack on a U.S. utility, sporadically losing track of its generation sites over a 12-hour period.
The Department of Energy says that the attack “is the first confirmed to have caused ‘interruptions of electrical system operations,’” according to E&E News. It affected sites in three states, a sign of how widespread the effects of a cyber incident can be.
To address this growing threat, the DOE in 2018 formed the Office of Cybersecurity, Energy Security, and Emergency Response (CESER) to serve as a focal point within the department to deal with cybersecurity, energy security and the emergency response function.
Karen Evans, DOE’s assistant secretary for CESER, who also testified at the February hearing, highlights the intersectional nature of the office. “We work really closely with the states to make sure that all the resources in the department are shared with the state emergency response teams,” she says.
However, the office’s role is not just to support emergency response. Following the NIST Cybersecurity Framework, CESER’s efforts are primarily proactive.
“We’re trying to change the dynamic so we’re more focused on the detect-and-protect aspects,” Evans says; this is considered the surest way of limiting impact and minimizing threats.
This is not a simple task when talking about America’s energy grid. “We don’t own the infrastructure. Ninety percent of it is owned by private industry,” Evans notes. As a result, federal agencies must work closely with state-level stakeholders and the private sector.
Information Sharing and Exercises Help Utilties Mitigate Attacks
DOE and CESER manage the complex problem of energy infrastructure cybersecurity through two main avenues. Information sharing and analysis centers, or ISACs, established under a 1998 presidential directive, play a critical role in the process, maximizing “information flow across the private sector critical infrastructures and with government,” according to the National Council of ISACs website.
The Energy ISAC provides updates and bulletins on emerging threats and new standards for compliance, which are disseminated through the Multi-State ISAC to state agencies and private sector organizations.
CESER also engages in regular preparedness exercises, including the NERC GridEx program. The exercises are designed to probe the grid for vulnerabilities and identify solutions to them. “There are a lot of lessons learned that we take from those exercises,” says Evans.