On March 31, U.S. President Joe Biden released a $2.25 trillion plan to create jobs and rebuild the country’s infrastructure. Among the plan’s many goals is reenergizing the nation’s power infrastructure. It calls for a $100 billion investment in power infrastructure that would involve building a more resilient electric transmission system. Protect our Power claims there are glaring omissions.
“We would like to see specific funds allocated for enhancement of cybersecurity for the electric system.”
“As the recent Texas power outages demonstrated, our aging electric grid needs urgent modernization. A Department of Energy study found that power outages cost the U.S. economy up to $70 billion annually,” the White House says. “The President’s plan will create a more resilient grid, lower energy bills for middle-class Americans, improve air quality and public health outcomes, and create good jobs.”
Missing from that plan is money for cybersecurity to secure the nation’s power infrastructure. Industrial Cyber talked to the independent organization Protect Our Power about the omission and what they believe the government should be doing to protect the county’s power infrastructure. The organization is made up of former electric utility industry, military, government, and regulatory experts focused on making the electric grid more secure and resilient.
“There’s a lot of money in the plan to make the electric system more reliable and more resilient and more flexible. There’s some small discussion around infrastructure security, but there’s no specific portion of money set aside specifically for cybersecurity,” says Steven Naumann, Protect Our Power’s chief technical advisor. “There are lots of very worthy enhancements to the electric system, and that’s good that there’s money for that, but we need to establish a foundation for a resilient electric system. We would like to see specific funds allocated for enhancement of cybersecurity for the electric system.”
According to a 2020 report by Report Our Power, the country’s power infrastructure faces many threats. The study found that cyber-related vulnerabilities in the electric sector supply chain present a clear and present danger to U.S. national security.
“There are numerous threats across the industry ranging from hackers to criminals using ransomware, but we believe the biggest threat to the industry comes from nation states,” says Nauman, a former Exelon executive. “ It’s very hard to predict because you’re dealing with an intelligent opponent, all the ways they might attack, but we believe, and government officials believe, one of the biggest threats is supply chain attacks, either by putting malware in a product or software as we saw with the SolarWinds attack.”
In an effort to better protect the power infrastructure supply chain and secure the electric grid from attacks from foreign adversaries, last May, former President Donald Trump signed an executive order aimed at these threats. The executive order was designed to limit the use of foreign-supplied components in the U.S.’s bulk-power system.
“This Executive Order is an important first step — one that Protect Our Power supports — to address dangerous cyber-related vulnerabilities in the electric sector supply chain,” said Jim Cunningham, executive director of Protect Our Power, in a statement at the time. “The order highlights a looming threat that Protect Our Power and other security experts have identified for some time now.”
The executive order enables the energy secretary to prohibit acquisition, importation, transfer or installation of power equipment from an adversary that they determine poses a risk of sabotage to the U.S. power system.
“The president’s Executive Order appropriately empowers the Energy Secretary to act with input from the new Task Force established in the order. This should allow for needed coordination between our intelligence agencies and Homeland Security to implement timely and informed actions. This also highlights the pressing need to establish in-depth protocols to guide the actions of buyers, sellers and regulators to assure the cyber integrity of our nation’s electric sector supply chain,” Cunningham said. “While we should be sensitive not to dramatically increase costs to consumers, we absolutely must work more urgently and comprehensively to better secure the supply chain and protect Americans from the consequences of a high-impact cyberattack.”
However, earlier this year, President Biden suspended the bulk power executive order for 90 days. The suspension came as part of an executive order where Biden directed all executive departments to “review all existing regulations, orders, guidance documents, policies, and any other similar agency actions (agency actions) promulgated, issued, or adopted between January 20, 2017, and January 20, 2021.”
Now, Protect Our Power is waiting to see what will happen with the bulk power order. While they supported the executive order initially, they say it lacked specifics.
“We support any action that increases the security of the electric system,” Nauman says. “There were a number of things that were less than clear. Certain things in the order, we definitely support them as the kind of actions that are needed. The idea that you need an approved list of products is very important, we support that. But how do you do that? The devil is in the details and there were no details in the order. We look forward to seeing what the next steps by the DOE are.”
In the meantime, Protect Our Power is doing its part to help secure the country’s power infrastructure. Last year, the organization sponsored a supply chain collaborative to support critical DOE policy development.
The supply chain collaborative group has recommended developing a comprehensive cybersecurity supply chain framework that recognizes the differences between utility companies and is designed to operate across these varied systems. It also recommended creating a list of permitted components and vendors or a prohibited component list based on the country of origin or product manufacturer.
Moving forward, the organization is calling for more investment from the government to protect the country’s power infrastructure. Specifically, they’d like to see more funding for secure communications, technology transfer, and equipment testing.
“We’re not trying to degenerate the Biden proposal. All of these adjustments are excellent for building up electric infrastructure. We think it needs to take one more step and make sure there’s money allocated specifically for cybersecurity,” Nauman says. “There are a lot of small utilities and the cost can be a burden for their customers.”