CESER’s SLTT report highlights energy security, cybersecurity, emergency response activities in 2021
The Office of Cybersecurity, Energy Security, and Emergency Response (CESER) within the U.S. Department of Energy (DOE) released on Monday its 2021 SLTT report that covers the various resources and initiatives for state energy security and resilience planning, advances in emergency preparedness, and strengthens coordination. The State, Local, Tribal, and Territorial (SLTT) Year in Review (YIR) report reveals that stakeholders were also engaged in various activities throughout last year, to enhance the security of energy infrastructure across the nation.
“All segments of the energy sector face evolving physical threats that if combined with a cyber-attack could further degrade system reliability,” the SLTT report said. “Communities nationwide are experiencing the impacts of a changing climate and increasing natural hazards, such as wildfires and hurricanes, which have affected millions of energy customers in the United States,” it added.
The SLTT report identifies that cybersecurity for critical infrastructure, particularly in the energy sector, is an important and complex national security challenge. A major cyberattack could have wide-ranging national security and economic impacts. Cybersecurity can only be effectively addressed through collaborative partnerships among a broad set of stakeholders, across all levels of government, private industry, and academia, it added.
The public utility commissions (PUCs) recognize that the critical infrastructure sectors they regulate face continually evolving cybersecurity threats from malicious actors, the SLTT report said. “To support their regulated utilities in addressing these threats and provide effective oversight, PUCs are striving to increase their cybersecurity expertise. The country is currently facing a large cyber workforce gap – with an estimated 500,000 cybersecurity jobs unfilled today. This NARUC reference guide outlines the role of cybersecurity personnel within a PUC and provides commissions with ideas for recruiting, retaining, and growing their cybersecurity talent,” it added.
National Association of Regulatory Utility Commissioners (NARUC) is a non-profit organization that represents the state public service commissions, which regulate utilities that provide essential services, including energy, telecommunications, power, water, and transportation. The agency released last February a guide that aims to serve as an important tool that enables state public utilities to develop or expand cybersecurity proficiencies, understand how cyber experts typically function in a PUC environment and identify the needed skill sets.
Last June, the Texas PUC partnered with NARUC to hold their first cybersecurity tabletop exercise with 25 participants from 13 organizations spanning Texas’s state government and the electric sector. The Texas PUC designed and conducted their exercise by following the guidance in NARUC’s Cybersecurity Tabletop Exercise Guide. One of five tools in the NARUC Cybersecurity Manual, the Cybersecurity Tabletop Exercise Guide provides step-by-step instructions on how to design, conduct, and evaluate cybersecurity-focused exercises.
NARUC also hosted a virtual Cybersecurity Training for State Regulatory Commissions in February, drawing 237 participants from 41 states, the District of Columbia, Puerto Rico, and Canada, the report said. In September, NARUC held a second virtual training with almost 200 registrants during which experts and commission peers addressed PUC – relevant cyber topics from ransomware to a utility chief information officer’s day-to-day security operations, it added.
“Given the growing prevalence of cyber threats to the electric sector, PUCs across the United States have been placing an increasingly high emphasis on coordinating with the utilities they regulate to ensure they are protected against cyber threats,” the SLTT report said. “NARUC recognizes that PUCs must remain vigilant about cybersecurity by expanding their knowledge and staying current on continually evolving cyber threats, trends, technologies, and mitigation approaches,” it added
To help meet this need, NARUC is planning in-person cybersecurity training and an on-demand cyber training module for PUCs in 2022, the report said.
Stakeholders in the energy community are striving for a better understanding of the myriad cybersecurity threats to the energy sector, the consequences of such attacks, and how to prepare for and mitigate them, the SLTT report said. National Governors Association (NGA), NARUC, and the National Association of State Energy Officials (NASEO) partnered with CESER to hold two events in 2021 to examine the complex topic.
Last April, NGA convened a group of experts from across the intelligence community, the federal government, and the electric and gas sectors for a roundtable that focused on foreign influence threats in U.S. critical energy infrastructure sectors.
In August, NARUC, NASEO, and NGA partnered to host a virtual roundtable to examine the cybersecurity-related supply chain threats and vulnerabilities that have the potential to cause disruptions to the U.S. electric distribution system, and identify potential roles for states to contribute to mitigation efforts, the SLTT report said. The SolarWinds attack and other recent incidents exposed the extent of supply chain cybersecurity risks to critical energy infrastructure and underscored the need for federal, state, and industry stakeholders to collaboratively identify and implement innovative, effective solutions, it added.
In November, DOE’s CyberForce Competition challenged 120 teams from 33 states and the District of Columbia to test their cyber defense skills. In the 2021 scenario, collegiate teams secured a hydropower company, along with one of its recently acquired subsidiaries, against potential future threats. CESER congratulates the three winning teams from the University of Central Florida, the University of California Santa Cruz, and Pennsylvania State University.
The CyberForce also expanded into a holistic cybersecurity workforce development program, with educational webinars and a competition series leading up to the main event, the SLTT report said. The initial Virtual Career Fair also helped to connect university students with jobs and internships in a variety of different sectors, exposing students to wide-ranging career paths and offering unique hands-on experiences. The holistic DOE program is designed to support the next generation of cybersecurity professionals tasked with defending and protecting critical energy systems from cyber threats and attacks, it added.
In 2022, CESER is continuing “to work with SLTT partners to address the most compelling energy, climate, and cybersecurity challenges facing the sector,” it added.
Congressman August Pfluger, a Republican from Texas, introduced last week the Cyber Deterrence and Response Act of 2022 to deter foreign nation-states from perpetuating cyberattacks against American critical infrastructure, including the energy sector.
The bill deters would-be cyber-attackers sponsored by foreign nation-states by clarifying that the U.S. would respond to serious attacks on U.S. critical infrastructure, and compels the President to respond to a cyberattack either with sanctions or a classified/unclassified report for Congress to explain why they are not acting to create more accountability for the Executive. It also protects the energy sector by codifying its designation as critical infrastructure.
Last month, the U.S. security agencies and the DOE released a joint cybersecurity advisory that provides information on multiple intrusion campaigns conducted by state-sponsored Russian cybercriminals from 2011 to 2018 and targeted the U.S. and international energy sector organizations. In addition, the agencies are sharing this information to highlight historical tactics, techniques, and procedures (TTPs) used by adversaries to target these installations.
A complimentary guide to the who`s who in industrial cybersecurity tech & solutions
Free DownloadRelated
