Nov 20 2019

States and Feds Team Up to Protect Energy Grid from Cyberattacks

National GridEx training exercises showcase cybersecurity capabilities of state National Guard units.

In the Grid Security Exercise series led by the North American Electric Reliability Corporation, the U.S. electric grid faces simulated attacks, including cyberattacks.

NERC, nonprofits, energy suppliers and the military all take part in the exercises. GridEx also includes corporate partners (such as AT&T) that provide specialized software solutions to protect energy infrastructure built to comply with the U.S. National Institute of Standards and Technology’s Cybersecurity Framework

But perhaps the most important partners that participate in exercises like GridEx V, which took place last week, are the state and local jurisdictions where critical infrastructure targets are located. The West Virginia National Guard Critical Infrastructure Protection Battalion is among the state groups participating in GridEx exercises. Maj. William Keber, the battalion’s executive officer, says that the group’s role is to “analyze energy sector concerns that impact government facilities and operations.” 

In February, the Senate Committee on Energy and Natural Resources held a hearing on cybersecurity efforts in the energy industry. The West Virginia National Guard Critical Infrastructure Protection Battalion described its efforts to assess cybersecurity infrastructure and train thousands of employees from the departments of Energy, Defense, Transportation and Homeland Security.

“Since inception, our teams have conducted 3,583 assessments and 2,662 training events, educating 59,237 individuals as of January 2019,” Keber testified then.

The increasingly interconnected nature of vital systems means an ever-expanding landscape of threats, and energy infrastructure is emerging as one of the most critical intersections of vulnerability and risk, requiring state and federal cooperation to mitigate emerging threats such as cyberattacks. 

The West Virginia National Guard recognizes the importance of information sharing in protecting the nation’s energy infrastructure from cyberattack, Keber says. “We realize that professional exchanges of best practices are an effective way to foster relationships between our organization and civilian organizations,” he says.

Energy Department Cooperates with States on Cyberattacks

In March, a Utah-based renewable energy company became the target of a first-of-its-kind cyberattack on a U.S. utility, sporadically losing track of its generation sites over a 12-hour period.

The Department of Energy says that the attack “is the first confirmed to have caused ‘interruptions of electrical system operations,’” according to E&E News. It affected sites in three states, a sign of how widespread the effects of a cyber incident can be.

To address this growing threat, the DOE in 2018 formed the Office of Cybersecurity, Energy Security, and Emergency Response (CESER) to serve as a focal point within the department to deal with cybersecurity, energy security and the emergency response function.

Karen Evans, DOE’s assistant secretary for CESER, who also testified at the February hearing, highlights the intersectional nature of the office. “We work really closely with the states to make sure that all the resources in the department are shared with the state emergency response teams,” she says. 

However, the office’s role is not just to support emergency response. Following the NIST Cybersecurity Framework, CESER’s efforts are primarily proactive.

“We’re trying to change the dynamic so we’re more focused on the detect-and-protect aspects,” Evans says; this is considered the surest way of limiting impact and minimizing threats. 

This is not a simple task when talking about America’s energy grid. “We don’t own the infrastructure. Ninety percent of it is owned by private industry,” Evans notes. As a result, federal agencies must work closely with state-level stakeholders and the private sector.

MORE FROM STATETECH: Remember that vulnerabilities can lurk even in water meters or energy grids.

Information Sharing and Exercises Help Utilties Mitigate Attacks

DOE and CESER manage the complex problem of energy infrastructure cybersecurity through two main avenues. Information sharing and analysis centers, or ISACs, established under a 1998 presidential directive, play a critical role in the process, maximizing “information flow across the private sector critical infrastructures and with government,” according to the National Council of ISACs website.

The Energy ISAC provides updates and bulletins on emerging threats and new standards for compliance, which are disseminated through the Multi-State ISAC to state agencies and private sector organizations.

CESER also engages in regular preparedness exercises, including the NERC GridEx program. The exercises are designed to probe the grid for vulnerabilities and identify solutions to them. “There are a lot of lessons learned that we take from those exercises,” says Evans.