Analysis
Attacks and Vulnerabilities
News
Reports
Risk & Compliance
Threat Landscape
Utilities: Energy & Power, Water, Waste

Atlantic Council report highlights need to secure energy transition against cyber threats

July 13, 2022
Atlantic Council report highlights need to secure energy transition against cyber threats

A new report from the Atlantic Council Task Force on Cybersecurity and the Energy Transition said that the energy sector must be defended against disruption by cyber threats that range from criminal to geopolitical. Assessing that existing efforts to strengthen cybersecurity are insufficient to meet the demands of the energy transition, the report said that the fragmented, sometimes rivalrous set of institutions regulating and coordinating current cyber defenses leave several gaps, ambiguities, and weak links.

“The United States is unprepared to secure this energy transition. Changes in technology, energy sources, and geopolitical considerations have outpaced public policy,” according to the report titled ‘Securing the Energy Transition against Cyber Threats.’ “Rapid adoption of digitally managed energy assets is transforming the technologies, business models, and policy landscape simultaneously in a matter of years – not decades. These new systems raise the stakes for cybersecurity, even as they strain the regulatory systems designed to ensure reliability in a more centralized, less digitized energy industry,” it added.

Judging that the goal is to create strong regulatory frameworks that hold the private sector accountable, the Atlantic Council report aims to provide companies with the resources to cultivate in-house cybersecurity, instill the confidence to engage with public sector bodies, and react quickly when cyberattacks strike.

The Atlantic Council Task Force on Cybersecurity and the Energy Transition report also disclosed that the public and private sectors lack a unified strategic framework to secure energy infrastructure against cyber threats. “Existing authorities intended to clarify responsibilities for cybersecurity and assign roles to the Department of Homeland Security, the Department of Energy, and other agencies are ambiguous in practice. Ambiguities and gaps in jurisdiction lead to weaker cybersecurity practices, wasted effort by government, confusion for the private sector, and missed opportunities for timely information sharing that would strengthen security,” it added.

The report also flagged that aligning government actions can enhance cybersecurity for the energy sector by clarifying DHS CISA’s role as leader of the national unity of effort for critical infrastructure protection, reducing duplicative effort while aligning executive and legislative oversight. It also called for coordinating mandatory and voluntary standards to create a roadmap for future requirements, private sector risk management, and examining rate-based or tax incentive structures.

Due to the majority of American energy infrastructure being privately owned, private sector actions are essential to sustaining strong cyber defenses, the Atlantic Council report assessed. “The private sector must maintain cyber hygiene and must address supply chain security for physical devices and software used in critical infrastructure. Government can support private-sector efforts with clear standards for devices, vulnerability assessment frameworks, and with programs that support testing for physical devices. Government can and should serve as a hub for sharing information on identified threats,” it added.

It added that the public and private sectors are interested in recovering quickly when cyber incidents occur. 

The report also pointed out that realigning the focus of DHS and DOE should aim to create complementary roles and responsibilities. Such a realignment would allow DHS to focus on coordination, cross-sector analysis, risk mitigation, and incident response activities, the Atlantic Council report said. 

Meanwhile, the DOE can focus on building deeper sector-specific expertise that adds more value through its support. The private sector’s ability to secure the connected assets that power the energy transition hinges on the federal government improving its authority structure and operational model. It added that clearly defined roles and responsibilities among federal agencies dictate the sector’s preparedness, resilience, and ability to respond to cyberattacks, both within government and for owners and operators.

The Infrastructure Investment and Jobs Act, colloquially known as the Bipartisan Infrastructure Bill, included additional investments in cybersecurity for the energy sector, and relatively new programs like the Critical Infrastructure Security Agency’s new Cybersecurity State Coordinators and the new Joint Cyber Defense Collaborative show potential for improving incident response. Likewise, technology developments that reduce the cost of cybersecurity monitoring and detection show potential for earlier detection of malicious activity. However, the energy industry would benefit from greater clarity on the thresholds that should prompt government involvement in cyber incident response.

Securing the energy industry and critical infrastructure from cyber threats is increasingly a vital interest for the U.S. and countries worldwide. The future of US national, economic, and environmental security depends on harnessing the power of digitally connected and electrified clean and low-carbon energy technologies. Reimagining existing frameworks to secure the energy transition is a complex but urgent endeavor. The U.S.’s choices will result either in a fragile, vulnerable energy sector or a solid foundation for a more sustainable and secure future.

The report also suggested setting an effective investment framework for energy cybersecurity. It also said that the Federal Energy Regulatory Commission (FERC), North American Electric Reliability Corporation (NERC), and the National Institute of Standards and Technology (NIST) should coordinate mandatory and voluntary standards to create a road map for future requirements and give the private sector more latitude and flexibility to manage risk. 

Additionally, the DHS CISA and Sector Risk Management Agencies (SRMAs) should consider a baseline set of standards for cybersecurity applicable to organizations of various sizes and criticality that may be extended by those SRMAs with regulatory authority to address industry-specific issues and concerns. Furthermore, in coordination with state regulatory bodies, the DOE and FERC should develop several models to apportion the cost of cybersecurity in the energy sector between owners and operators, consumers, and the government.

The Atlantic Council report delivered recommendations that would enable the Task Force to strengthen American cybersecurity readiness in the energy sector. It called for a focus on government actions to support private-sector cybersecurity efforts. These include recognizing standards organizations that will develop clear guidelines for the product and supply-chain security and providing penetration testing assistance to certain critical infrastructure assets.

It also called for clarifying and streamlining information-sharing practices to foster timely and complete threat information sharing and clarifying what constitutes civilian asset response and protection of the kind that DHS CISA can support and what constitutes a more sophisticated matter.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation