US Senate Energy Committee addresses cybersecurity risks to critical parts of energy infrastructure

The U.S. Senate Committee on Energy and Natural Resources held Thursday a full committee hearing to examine cybersecurity vulnerabilities to the nation’s energy infrastructure. The committee also looked into the fact that energy resources are being used as a geopolitical weapon against the nation’s friends and allies, while its adversaries have increasingly begun using cyberattacks to infiltrate American infrastructure to disrupt energy security and the economy.

The witnesses at the hearing were Puesh M. Kumar, director of the Office of Cybersecurity, Energy Security, and Emergency Response (CESER) of the U.S. Department of Energy (DOE), Robert M. Lee, CEO and co-founder of industrial cybersecurity company Dragos, and Stephen L. Swick, chief security officer at American Electric Power (AEP). 

“The rapidly changing cyber threat landscape will require constant federal attention and strategic flexibility to ensure we are ahead of the curve and not caught off guard to the detriment of our national security, public health and safety, and economy,” Senator Joe Manchin, chairman of the Senate Committee on Energy and Natural Resources, wrote in his Testimony. “Our government has taken substantial steps in the past decade to improve federal coordination, increase funding for research and development, enhance intelligence dissemination, and build on existing public-private partnerships.”

Covering the threat environment, Senator Manchin said that cyber threats can be attributed to individual bad actors, transnational organized crime, state-sponsored groups, and nations. “The 2022 Annual Threat Assessment from the Office of the Director of National Intelligence assessed China as the broadest and most active cyber threat to the U.S. Government and private sector networks. In addition, the assessment identifies Russia as the top cyber threat that is specifically focused on targeting our critical infrastructure,” he added.

“Russia’s cyberattack that shut down Ukraine’s electricity grid in 2015 was a wake-up call to the possibility of large-scale cyberattacks on critical infrastructure like the electric grid,” he added. “Putin’s vicious aggression in Ukraine increased the likelihood that Russia will increasingly rely on extreme and dangerous tactics against Ukraine’s allies, such as using cyberattacks as retaliation for sending arms and aid to Ukraine.”

Analyzing the U.S. energy infrastructure, Senator Manchin said that cyber incidents impacting domestic energy infrastructure pose a persistent threat, many of which are never heard about. “However, some recent attacks have highlighted the severity of cyberattacks directed at our energy infrastructure,” he added. 

In his Testimony, Kumar pointed out that cybersecurity of critical energy infrastructure presents specific challenges, including the use of operational technology, spread over a wide geographic area, with minimal tolerance for downtime or service interruptions. “DOE is uniquely positioned to address malicious threats facing the U.S. energy sector as the coordinating agency for Emergency Support Function (ESF) #12, under the National Response Framework, and the Sector Risk Management Agency (SRMA) for the energy sector.”

Addressing unprecedented cyber threats, Kumar said that in 2022, the DOE, along with the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) released a joint advisory warning that malicious actors have exhibited the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices using custom-made tools. 

“These tools could potentially enable a threat actor to manipulate the systems that Americans rely upon to produce, deliver, and consume energy,” according to Kumar. “This joint advisory and its implications demonstrate our adversaries’ capacity to disrupt our critical infrastructure and are illustrative of the breadth and depth of the threat landscape overall.” 

Kumar said that within the DOE, CESER executes those responsibilities in close coordination with other offices across the Department and with interagency partners, including CISA, the FBI, the Federal Emergency Management Agency (FEMA), the Department of Defense (DOD), and elements of the Intelligence Community. 

He also added that CESER leads several significant efforts that push the boundaries of what is possible in energy cybersecurity. “We continue, with great urgency, to strengthen our sector’s cyber defenses, invest in new capabilities, and reimagine how we think about cybersecurity to ensure the resilience of the nation’s critical energy infrastructure. Given the severity of the threats we face, we must enhance cyber threat collaboration, secure energy sector supply chains, and build in security by design.”

“These are areas of focus for CESER as we partner with the DOE National Laboratories, higher education institutions, manufacturers, cyber technology companies, energy companies, and others to advance cybersecurity across the United States energy sector,” the CESER director added.

Dragos’ Lee wrote in his Testimony that his “testimony today serves as an update to my testimony in 2018. I want to note what has changed over the last five years and what actions I assess we must take to continue to protect our national security and local communities. I will focus my testimony on three key points that are relevant to the Committee and this hearing’s focus,” he added.

“The first is that the industrial cyber threat landscape has irreversibly shifted this past year,” Lee said. “As a result, heightened attention is required. It is necessary to prioritize OT/ICS networks with a focus on security controls that have demonstrated success against adversaries. We must do more than identify and implement best practices deployed in other areas such as enterprise information technology (IT).”

Lee said that the second is that the government should seek to understand what is and is not working and act while taking advantage of collaborative efforts that already exist and are being underutilized. “This will enable the United States government and our nation’s private sector to make strategic decisions about the capabilities and partnerships required for the future. Currently, there is an apprehension to call out what works and what does not work for fear of perception on picking winners and losers in the market. However, this approach means that the community has difficulty moving forward and wastes precious resources on efforts that are not as viable.”

Moving on to the third key point, Lee said that it is important to identify what sites are critical, what risks they need to be protected against, and to properly resource these efforts. “The private sector and the government must deploy resources. Most entities know what to do but policy issues impede them acting. Additionally, the federal government must be resourced and authorized correctly to secure its own infrastructure and serve as an example to private industry. Today, unfortunately, government agencies ask the private sector to take actions on its infrastructure that the government has not taken internally on its infrastructure,” he added.

In conclusion, Lee said that the infrastructure owner and operator community in the energy and natural resources sector has consistently shown that the majority of the players have focused on national security and not just business value creation. “We must be willing to make hard choices as the threat landscape, and the energy system itself has drastically changed. PIPEDREAM has shown that the threat landscape has irreversibly changed and that a sense of urgency is required. However, our infrastructure community has reliably shown that when empowered to do so, it will rise to the occasion and protect our communities and national security.” 

He added that “all are keenly aware that we live and work in the communities we serve. I would take an empowered energy sector and its partners over any state actor any day. Defense is doable.”

In his Testimony, AEP’s Swick wrote that the nation’s energy infrastructure has a long history of facing threats, whether natural or man-made. “Today’s cyber threats are increasingly complex and dynamic, requiring flexibility, creativity, and collaboration to address. To meet these ever-evolving challenges, AEP continues to prioritize cybersecurity through technology, collaboration, and a dedicated workforce enabling us to deliver safe, reliable, and resilient service to our customers.”

At AEP, Swick said that “we firmly believe that resilience begins with security, and security is resilience. Within the cybersecurity team, we have been very fortunate to retain our talented staff while growing the program and attracting external talent as well. This has allowed us to continually mature our program to meet future demands.”

Swick added that the threat landscape is becoming increasingly dynamic. “To best protect the electric grid, we must proactively identify threats, strategize how to shield against them and share relevant intelligence and mitigations across the critical infrastructure to strengthen our defenses. Regardless of what we do to protect our own systems, we each are as strong as our weakest interconnected peer. AEP recognizes that a strong foundation of security begins with secure products and technologies.”

“As utilities across the nation integrate advanced technology to make the grid smarter and more resilient, we must remain vigilant to ensure the products and services we use are secure,” Swick said. “Through a robust vendor review process AEP seeks out secure products and services that meet our architectural needs while offering capabilities that support risk reduction. There continue to be challenges to securing key technologies and components for the whole of the electric power industry.”

Swick added that a robust supply chain with secure-by-design products will only become increasingly important as the entry points for attacks and vulnerabilities continue to evolve. “Incentivizing the reshoring of production of certain critical grid equipment, like large power transformers, by the Federal government would be a supportive step to level the playing field for supply chain economics.” 

“Strengthening grid security requires collaboration across the electric industry and close partnership with all levels of government. We must have unification between systems, regardless of who owns or controls those systems,” according to Swick. 

Last week, the Homeland Security and Governmental Affairs Committee convened a hearing to examine cybersecurity threats facing the healthcare sector and how the federal government and healthcare providers are working to prevent breaches. The examination highlighted the severity of the threat and discussed how cyber-attacks against the healthcare sector can affect patient care and compromise sensitive medical information.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.