According to NERC, it is estimated that around 25% of electric utilities on the North American power grid downloaded the SolarWinds Sunburst backdoor that was discovered in December of 2020.
The significance of this threat propelled the Biden Administration to announce a new plan to address cybersecurity risks and safeguard critical energy infrastructure on April 20, 2021. In the announcement, Secretary of Energy Jennifer M. Granholm stated that, “The United States faces a well-documented and increasing cyber threat from malicious actors seeking to disrupt the electricity Americans rely on to power our homes and businesses. It’s up to both government and industry to prevent possible harms—that’s why we’re working together to take these decisive measures so Americans can rely on a resilient, secure, and clean energy system.”
As part of this program, the Department of Energy (DoE) announced a 100 day plan to “confront cyber threats from adversaries who seek to compromise critical systems that are essential to U.S. national and economic security.” The objective is to “continue to advance technologies and systems that will provide cyber visibility, detection, and response capabilities for industrial control systems of electric utilities.”
The goals of this initiative are to:
In addition, the DoE released an RFI to solicit input from any interested parties to help guide recommendations to secure the energy supply chain. A follow up article on April 21, 2021 in SC Magazine summarizes the initiative and notes that the “plan was not released in full to the public, or to many vendors who might be instrumental in actualizing key objectives.”
Critics of the plan say that the Biden Administration should have relied more on the Cybersecurity and Infrastructure Security Agency (CISA) and less on the Department of Energy, which has little experience practically implementing cybersecurity initiatives. The plan doesn’t do enough to address other underserved critical sectors, such as water management systems and manufacturing, and may focus too heavily on detection and response, while ignoring system hardening and attack prevention.
Regardless of what your opinion of the plan is, this is certainly a step in the right direction for critical infrastructure in the United States since it is finally getting some attention from the top. Whether or not it does enough to effectively secure our nation’s industrial control systems (ICS) is yet to be determined.