Testimony delivered at a Senate committee indicates that the U.S. energy sector needs more manpower and more testing programs to bolster cybersecurity
The U.S. Senate Committee on Energy and Natural Resources convened on August 5 for an oversight hearing on cybersecurity issues in the U.S. energy sector. At the meeting, the first of its type to be held in more than a year, U.S. legislators, regulators, and industry representatives discussed the measures already taken to protect electricity production, transmission, and distribution facilities. They also identified several areas in which more action was needed, saying that the U.S. energy sector would need more manpower and more testing programs in order to guard itself adequately against cyberthreats.
The importance of protecting critical infrastructure
Senator Lisa Murkowski (R-Alaska), the chairperson of the committee, opened the meeting with a statement that acknowledged the importance of cybersecurity issues in the energy industry. The sector is a key component of the country’s vital infrastructure, she noted, and the coronavirus (COVID-19) outbreak has made its vulnerabilities even more worrisome.
“We all know the stakes here. A successful hack could shut down power, impacting hospitals, banks, gas pumps, military installations, and cell phone service,” she said. “The consequences would be widespread and devastating, and only more so if we are in the midst of a global pandemic.”
Murkowski pointed out that the U.S. government had taken action on several fronts. She mentioned the executive order that President Donald Trump issued in May that made national security considerations, including both physical and information security, a criterion for the purchase of bulk power system equipment from foreign suppliers. She also said she had recently introduced new legislation that would restrict federal agencies’ leeway to disclose sensitive information related to the energy sector.
The need for a larger cybersecurity workforce
Alexander Gates, a senior advisor in the Office of Cybersecurity, Energy Security, and Emergency Response (CESER) at the Department of Energy (DOE), also stressed that the executive branch of the government had taken an active interest in the matter. Since the roll-out of the president’s executive order in May, he told members of the committee, DOE officials have held more than 90 telephone conferences with power equipment manufacturers and owners of bulk power supply assets.
Gates also reported, though, that additional action was needed on the human resources front. Echoing a 2019 (ISC)2 report that warned of worldwide shortages in skilled cybersecurity personnel, he stated that companies working in the energy sector needed to hire and train larger numbers of specialists capable of guarding both information technology (IT) and operational technology (OT) systems.
“This is a challenge for the country,” he remarked. “We’re going to be short not only of IT cybersecurity professionals, but the shortages are even starker when we talk about industrial controls systems.”
DOE is taking some steps to open up new avenues for training, he added. For example, he said, the DOE has set up an internship program for U.S. Coast Guard Academy cadets at its National Laboratories.
Even so, a single internship program won’t fill all the gaps.
The need for more testing in the U.S. energy sector
Nor will it address problems in other areas – such as the need to test energy systems more extensively to assess their ability to withstand cyberattacks.
Sen. Joe Manchin (D-West Virginia), a ranking member of the committee, stressed this point, saying that the power sector had not done enough to cover the gaps between ageing infrastructure, high-tech equipment designed to prevent outages, and evolving cyberthreats. “No one’s testing,” he said. “Legacy grid systems were not designed to defend themselves against modern cyberattacks, and as they grow more and more connected to the internet, our electric systems grow more and more vulnerable.”
Manchin went on to say that he would work to ensure that generation, transmission and distribution operators had sufficient opportunities to test their system’s ability to respond to cyberattacks. Gates pointed out, though, that the U.S. government was subject to certain “limitations” that would make it difficult for federal agencies to test the cybersecurity regimes of private-sector companies.
In the meantime, privately-owned firms face their own barriers, according to Thomas O’Brien, the senior vice president and CIO of PJM Interconnection, a regional power transmission organization that operates a transmission grid serving 13 U.S. states. While PJM does carry out “extensive” red-testing and penetration-testing exercises targeting its own networks, O’Brien said, it does not do the same for its member companies and sees such testing as beyond its jurisdiction.
In other words, there is more work to be done on this front. Certainly, the U.S. government has acknowledged that cybersecurity is a genuine threat for the power industry, and it has taken some steps to draw attention to that threat. But given the extent of the cyber risks, Washington should also look for ways to provide concrete support by drawing attention to the energy sector’s need for more skilled and trained personnel and to the need for more extensive testing.