Security

CESER’s SLTT Program Builds Cybersecurity Cooperation for Energy Infrastructure

The U.S. Department of Energy examines threats to the electrical grid with energy risk profiles.

Randy Barrett is a freelance writer and editor based in Washington, D.C. A large part of his portfolio career includes teaching banjo and fiddle as well as performing professionally.

On the night of Dec. 5, 2022, the electricity went out in Moore County, N.C., leaving 45,000 residents reaching for flashlights and warm blankets. Gunfire hit two power substations, and authorities say the attacker knew where to aim to achieve maximum damage.

“This kind of attack raises a new level of threat,” said Gov. Roy Cooper at a press conference.

But this is precisely the kind of assault on energy infrastructure for which federal and state officials across the country have spent years preparing action plans. Vandalizing power stations isn’t a new phenomenon. In 2013, a sniper fired on a substation near San Jose, Calif., damaging 17 transformers and requiring $15 million in repairs.

The U.S. Department of Energy publishes state and regional energy risk profiles under the auspices of the Office of Cybersecurity, Energy Security and Emergency Response (CESER). Through collaborations with partner organizations, CESER’s State, Local, Tribal and Territorial (SLTT) Program works to support:

Governors and their energy advisers
State energy office directors and their staff
Public utility commissioners
State legislators
Emergency managers
Public power owners and operations

“CESER aims to provide resources that local governments need to effectively plan for and respond to energy emergencies,” says DOE spokesperson Jeremy Ortiz. “All emergencies begin at the local level. The more resilient and prepared state, local, tribal and territorial governments are, the more our nation is prepared.”

All the major public and private energy trade groups are also deeply involved in the effort, including the American Public Power Association, the National Association of Regulatory Utility Commissioners, the National Association of State Energy Officials and the National Governors Association.

Click the banner below to receive curated content by becoming an Insider.

What Are the Risks Facing Energy Infrastructure?

The primary risks to energy infrastructure — including electricity, natural gas and petroleum — come not from cyber intrusion or snipers, but from the weather. For example, North Carolina is prime hurricane country. Storms do an average of $186 million per year in damage there, and it’s no surprise falling trees are the primary cause of electrical outages, as is true for the rest of America.

Still, other risks lurk, like time. A third of the state’s aging gas pipeline system was built prior to 1970. North Carolina petroleum pipelines are even more aged, with 57 percent more than 50 years old.

Alaska, on the other hand, enjoys relatively young petroleum pipeline infrastructure, with only 5 percent built before 1970. However, as it is mostly wilderness, 10 percent of electricity outages are due to animals.

Another common cause for electricity failures in all states is faulty equipment and human error, at around 25 percent. The least frequent is theft and vandalism, which hovers around 2 percent.

DISCOVER: How public energy utilities are optimizing citizen services through mobile apps.

“Understanding the causes, frequency and history of energy disruptions helps states make informed decisions about energy investments, resilience and hardening strategies, and asset management,” says Ortiz. “Recognizing state risks and hazards also enables states to better prepare for potential disruptions. States have used these risk profiles for federal grant applications, state energy security plans and tabletop exercises.”     

Last year, CESER helped sponsor Wisconsin’s “Shattered Cheddar” regional energy emergency exercise. In attendance were energy officials, public utility commission personnel, emergency management, and national guard representatives from Illinois, Michigan, Minnesota, Iowa, Kentucky, Tennessee, Louisiana, Arkansas, Oklahoma and Nebraska. It also drew members of the Bad River Band of Lake Superior Chippewa and the Menominee Indian Tribe of Wisconsin.

The assembled experts worked through a scenario in which a polar vortex gas pipeline break caused rolling blackouts and a loss of residential heating. The exercise resulted in an agreement to create a new regional coordination framework.

New threats are always evolving. While we have focused on the physical integrity of our most critical needs, we also have to focus on our cyber hygiene.”

Chris Stallings Director, Georgia Emergency Management and Homeland Security Agency

What Are the Cybersecurity Threats to Energy Infrastructure?

The federal Cybersecurity and Infrastructure Security Agency (CISA) is tasked with protecting the assets, systems and networks that underpin American society and its economy. In 2021, CISA launched the Joint Cyber Defense Collaborative (JCDC) to bring federal, corporate, state, local and tribal players together.

“Experts across all levels of government and the private sector work with JCDC to gather, analyze and share actionable cyber risk information to enable synchronized, holistic cybersecurity planning, cyber defense and response to reduce risk to critical infrastructure,” says CISA Associate Director Clayton Romans.

It’s a robust group that includes AT&T, Broadcom, Cisco, Microsoft, Verizon, the Office of the Director of National Intelligence, the FBI, the National Security Agency and the Department of Defense. “State and local partners can engage at the level of effort that reflects their operational requirements and resource availability,” says Romans.

JCDC welcomes new members and makes it easy to join; there isn’t even an application.

EXPLORE: How the Jefferson County, Colo. is leaning into digital transformation.

Over the past two years, CISA has worked closely with state, local and tribal organizations to track and defend against the Chinese ATP41 phishing campaign targeting energy, manufacturing and governments around the world. Special focus was put on sharing multiple zero-day vulnerabilities used as initial intrusion vectors.

“New threats are always evolving,” says Chris Stallings, director of the Georgia Emergency Management and Homeland Security Agency. “While we have focused on the physical integrity of our most critical needs, we also have to focus on our cyber hygiene. This is an extremely important but thin tightrope being walked by all those in homeland security and in federal, state and local law enforcement.” Education of employees is key.

Stalling’s agency also has begun working more closely with CISA and CESER. “This is a new relationship we’re excited about. Pushing cybersecurity forward is a key responsibility of not only homeland security but also emergency management,” he says.

Other states have been working with the feds on a long-standing basis.

“We worry about everything,” says New Jersey CISO Michael Geraghty. He’s also director of the state’s Cybersecurity and Communications Integration Cell, a group that includes regular input from regional FBI, DHS and CISA officials. “It’s been going on for years and years. We pervasively collaborate,” he says.

hxdyl/Getty Images