Critical infrastructure
NERC-CIP
News
Regulation, Standards and Compliance
Risk & Compliance
Threat Landscape
Utilities: Energy & Power, Water, Waste
Vulnerabilities

DOE must remain lead cybersecurity agency for energy sector, Energy and Commerce Committee indicates

April 11, 2022
DOE must remain lead cybersecurity agency for energy sector, Energy and Commerce Committee indicates

The U.S. Energy and Commerce Committee has called upon the Secretary of Energy Jennifer Granholm to ensure that the Department of Energy (DOE) remains the lead cybersecurity agency for the energy sector, by maintaining its existing authority as the Sector Risk Management Agency (SRMA) for energy sector cybersecurity. The Committee also pointed out that without the DOE’s engagement and immediate attention, ‘we are concerned that DOE’s role in helping to ensure energy sector cyber security will be diminished.’

The committee leaders stressed upon the importance of the energy sector and federal government coordination in responding to increased cyber threats to energy infrastructure in a letter written by Chairman Frank Pallone Jr., a Democrat from New Jersey, and Ranking Member Cathy McMorris Rodgers, a Republican from Washington, along with Senate Energy and Natural Resources Chairman Joe Manchin, a Democrat from West Virginia and Ranking Member John Barrasso, a Republican from Wyoming. “It is more important than ever to protect critical infrastructure from cyber threats and to avoid inconsistent and duplicative requirements for private industry,” the letter added.

The Committee members also referred to Congress passing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 as part of the Consolidated Appropriations Act of 2022 last month. The Act establishes mandatory cyber intrusion reporting requirements for critical infrastructure companies, including companies in the energy sector. It also assigns responsibility for implementation to the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA).

“Given the increase of cyberattacks on energy infrastructure the ability to consolidate and share that information within the federal government to rapidly respond is vital. However, while the Act spells out CISA’s new obligations, DOE remains the lead agency for energy sector cybersecurity as established by law,” according to the letter. “As cyber threats increase, it is urgent that DOE fulfill its duty as the lead agency. DOE’s energy sector expertise and well-established partnerships with industry are critical in managing risk in today’s threat environment. We fully expect that DOE will discharge its lead cybersecurity and emergency response efforts for the energy sector in close coordination with DHS as it has done for years,” it added.

The letter also pointed out that before the passage of the Act, electric utilities and other energy companies were required to report certain cyber incidents to DOE, the Federal Energy Regulatory Commission (FERC), state and local agencies, and the North American Electric Reliability Corporation (NERC). “As CISA develops a rulemaking for reporting requirements under the Act, we ask you to work to maintain DOE’s role as the SRMA for the energy sector, as required by law. Further, we ask that you urge the Secretary of Homeland Security and other federal agencies to harmonize existing cyber incident reporting requirements for the energy sector with CISA’s forthcoming reporting requirements in order to provide clarity and consistency,” the Committee members added in their letter.

In addition, the letter also urges companies in the energy sector to focus their attention on maintaining cybersecurity and responding to cyber threats to critical infrastructure and avoid inconsistent and duplicative requirements. They must also establish consistent reporting requirements, especially important now. 

Last week, the Cybersecurity and Infrastructure Security Agency released its guidance on Sharing Cyber Event Information Fact Sheet that provides stakeholders with clear guidance and information about what to share, who should share, and how to share information about unusual cyber incidents or activity.  

CISA uses information from partners to build a common understanding of how adversaries are targeting U.S. networks and critical infrastructure sectors, it said. The information fills critical information gaps and allows CISA to rapidly deploy resources and assist victims suffering attacks, analyze incoming reporting across sectors to spot trends, and swiftly share that information with network defenders to warn other potential victims.

The Energy and Commerce Committee letter comes at a time when the energy sector is dealing with the resurgence of the TRITON malware. As these threats reach the industrial control systems (ICS) and supply chain frameworks, there is an urgent need for critical infrastructure asset owners and operators to improve asset visibility, strengthen network access, and bolster the overall organizational cybersecurity position.

Last month, U.S. President Joe Biden asked critical infrastructure owners and operators to improve domestic cybersecurity and bolster national resilience. The latest warning comes in the wake of ‘evolving intelligence’ that the Russian government is exploring options for potential cyberattacks

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation