Energy Committee examines expertise of sector specific agencies over critical infrastructure protection

The U.S. House Energy and Commerce Committee held on Tuesday a subcommittee meeting with witnesses from the Department of Energy (DOE), Department of Health and Human Services (HHS), and Environmental Protection Agency (EPA) to discuss each agency’s expertise in protecting critical infrastructure from cyberattacks. The hearing gave members an opportunity to examine the efforts of sector-specific federal agencies to secure critical infrastructure against cybersecurity threats, assess agencies’ responses to emerging threats, and learn more about the roles of the represented agencies in the federal cybersecurity enterprise. 

The Subcommittee Hearing, ‘Protecting Critical Infrastructure from Cyberattacks: Examining Expertise of Sector Specific Agencies’ was attended by Cathy McMorris Rodgers, House Energy and Commerce Committee Chair and a Republican from Washington, and Morgan Griffith, subcommittee on oversight and investigations chair, and a Republican from Virginia. 

Witnesses to the hearing included Puesh Kumar, director at the Office of Cybersecurity, Energy Security, and Emergency Response (CESER), DOE; David Travers, director for water infrastructure and cyber resilience division at the Office of Groundwater and Drinking Water, Office of Water, EPA; and Brian Mazanec, deputy director at the office of preparedness, administration for strategic preparedness and response at the HHS.

The hearing provided an opportunity to look into the activities that these agencies engage in to carry out their responsibilities as SRMA; and how they incorporate their specialized knowledge regarding their respective sectors to strengthen federal cybersecurity efforts. It also looks into how these agencies coordinate with and support critical infrastructure owners and operators and maximize existing relationships with these entities as part of their cybersecurity activities; and what are some of the emerging cybersecurity threats to the critical infrastructure of which Congress should be aware. 

In his testimony, Kumar focuses on the value of SRMA (sector risk management agency), the need for specialization by sector, and the role that DOE’s CESER plays in fulfilling the department’s duties as an SRMA. “The energy sector provides the power and fuel that all other U.S. critical infrastructure sectors depend on to operate. A disruption in the energy system can have a devastating impact to national security, the U.S. economy, and the safety and livelihoods of millions of Americans.” 

He added that CESER is focused on securing the nation’s energy infrastructure against all hazards, reducing the risks and impacts of cyberattacks, physical incidents and other disruptive events, and supporting state, local, tribal, and territorial governments (SLTT), as well as industry, with response and restoration when a disruption occurs. 

Kumar also highlighted that apart from working in collaboration with experts from across DOE, the CESER is built upon a foundation of partnerships with industry; SLTT communities; regulators like the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC); suppliers and manufacturers; and academia. “It is through these trusted relationships that we are able to execute our responsibilities on behalf of DOE as the SRMA for the energy sector,” he added.

Looking ahead, Kumar said that the value DOE brings as the SRMA in this evolving environment will be a concerted focus on innovation, collaboration, and efficiency. “On behalf of the Department, CESER will continue to update our risk assessments and response operations and invest in tools and technologies to address the ever-evolving threat landscape.” 

According to the National Cybersecurity Strategy, Kumar said that the DOE pilot of the Energy Threat Analysis Center (ETAC) provides an example of the new and innovative capabilities that the nation needs to effectively collaborate at the scale and speed needed to defend critical infrastructure. “Through this new, operational approach to cyber collaboration, we will close gaps in our collective situational awareness of threats, improve our ability to mitigate and defend against them, and support the nation’s response to incidents within the energy system,” he added. 

According to Kumar, DOE is adept at ‘deploying innovative solutions to complex problems and will continue to do so in service to the American people, ensuring the U.S. energy sector becomes only more secure and resilient with time.’

Travers outlined that the EPA fulfills its critical mission in cybersecurity for the water and wastewater systems sector in coordination with DHS, the Water Sector Coordinating Council of industry representatives, and other federal, SLTT, and private sector partners. 

In his testimony, Travers pointed to various efforts that the EPA has undertaken, including supporting water systems with cyber incident response planning and having developed a Cyber Incident Action Checklist that guides utilities through preparing for, responding to, and recovering from a cyber-attack. 

The EPA has provided training on cybersecurity best practices, as well as threats, vulnerabilities, and incident response, to thousands of water and wastewater systems nationwide. The agency also understands the criticality of exercising emergency response planning and has created the Water System Cybersecurity Tabletop Exercise module to guide utilities in testing their readiness for a cyber incident. EPA has also continued to request, identify, receive, and disseminate cybersecurity intelligence and cyber threat information relevant to the water sector through the EPA Federal Intelligence Coordination Office.

Due to the continued significant vulnerability of many water systems to cyber-attacks, the increasing frequency of cyber-attacks on critical infrastructure facilities, and the potentially significant public health impacts of a cyber-attack on a water system, EPA has leveraged its existing regulatory authority to improve cybersecurity in the sector.

“Accordingly, on March 3, 2023, EPA released a memorandum titled Addressing PWS cybersecurity in sanitary surveys or an alternate process,” Travers said. “This memo was designed to ensure that all water systems are taking important steps to strengthen cybersecurity and to acknowledge that states have flexibility on how best to do this based on local needs. The memorandum conveys EPA’s interpretation of its existing regulations that states must include cybersecurity when they conduct regular audits of water systems through sanitary surveys or an alternate process.”

Moving forward, Travers outlined that the “EPA will continue our work with our public and private sector partners to help water and wastewater systems become more secure and resilient against both natural hazards and malevolent acts, including the threat of cyber-attacks. These efforts remain an essential component of EPA’s mission to protect public health and the environment,” he added.

Mazanec summarizes his testimony around the growing cyber threat facing the healthcare and public health (HPH) sector; the role of HHS and the department’s Administration for Strategic Preparedness and Response (ASPR) as the Sector Risk Management Agency (SRMA) in addressing this threat; and the department’s current approach to strengthening the sector’s cybersecurity today and into the future.

“ASPR’s mission is to help the country prepare for, respond to, and recover from public health emergencies and disasters,” Mazanec wrote in his testimony. “A part of that responsibility as the SRMA, ASPR helps prepare the health care sector for disasters and emergency events through the Health Care Readiness and Recovery program. As directed by HHS, ASPR carries out this SRMA function through our Office of Critical Infrastructure Protection within our Office of Preparedness.”

Working as a team, Mazanec wrote that all HHS agencies and divisions bring together their unique cybersecurity perspectives, expertise, and authorities as a single collaborative effort to assist the HPH sector, from direct engagement with the HPH sector on cybersecurity activities to collaborative regulatory actions with the goal of HPH sector protection. “For example, OCR collaborates with ONC on development of and enhancements to the Security Risk Assessment (SRA) Tool that provides small-and medium-sized HPH sector organizations a tool to identify and assess security risks to health information within their organizations,” he added.

Mazanec identified that response planning for cyber incidents is critical as the frequency and intensity of these attacks increase. “HHS recently completed a Healthcare and Public Health Sector Risk Management Agency Cyber Incident Response Plan, which provides the framework to coordinate processes for HPH sector cyber incident management within HHS. HHS is also developing a public-private sector partnership playbook to promote collaboration during all-hazards events, including cyber events,” he added.

He added that the HHS also has a regulatory role over certain elements of the HPH sector, and this role helps strengthen the sector’s cyber posture. 

Mazanec also covered medical devices, where the FDA clears, authorizes, and approves devices to be marketed when there is a reasonable assurance that the devices are safe and effective for their intended use, which includes the cybersecurity of such devices. FDA provides guidance regarding the cybersecurity expectations of medical devices for medical device manufacturers, which is also useful for healthcare delivery organizations as they review their management of medical device cybersecurity.

Addressing the challenges going forward, Mazanec said that the HHS is working diligently to strengthen cyber security and address the impacts of cyberattacks on the healthcare system. “As we move forward, there are additional authorities and resources that would advance ASPR’s ability to fully implement its plan to bolster HHS’s cyber SRMA activities,” he added.

He also added that “we are looking to establish a new HHS cyber incident ticketing system to better track incidents and strengthen threat intelligence sharing through embedded liaisons within CISA and the FBI. Dedicated resources are needed to implement and operate supporting systems, as included in the FY2024 President’s Budget request. We continually assess and identify whether any additional authorities are needed to support our role as SRMA for the HPH sector, and I look forward to working with all of you if any other needs arise,” Mazanec added.

In conclusion, Mazanec wrote that as increasingly sophisticated and pervasive cyber threats continue to grow and evolve, ASPR remains committed to executing its SRMA responsibilities to prepare for and respond to cyber threats in the HPH sector.

The U.S. Senate Committee on Energy and Natural Resources in March conducted a full committee hearing to examine cybersecurity vulnerabilities to the nation’s energy infrastructure. The committee also looked into the fact that energy resources are being used as a geopolitical weapon against the nation’s friends and allies, while its adversaries have increasingly begun using cyberattacks to infiltrate American infrastructure to disrupt energy security and the economy.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.