Cybersecurity

DOE wants $15 million more for securing the grid

Shutterstock image (by gyn9037): High voltage towers, electricity infrastructure.

The Obama administration wants to put another $15 million toward bolstering the physical and cybersecurity of the country's electricity grid. The funding, if approved by Congress, would concentrate on community-owned utilities and electricity cooperatives, which generally have less money to spend on cybersecurity than bigger, investor-owned utilities.

The money would be distributed over three years and support programs run by two groups that represent local utilities: the American Public Power Association and the National Rural Electric Cooperative Association. The work would include developing security tools and training programs to improve security culture for APPA and NRECA members, the Energy Department said in a news release.

"An example of a weak point for us is the varied nature of the electricity sector," Deputy Energy Secretary Elizabeth Sherwood-Randall said July 12 at a Bloomberg Government event. "We have major investor-owned utilities with significant resources; we also have smaller utilities."

She added that the government and the utility industry had learned a great deal from the cyberattack that hit the Ukrainian electricity grid in December, which plunged some 225,000 people into darkness. Some analysts have blamed the attack on Russia, and the hack influenced proposed legislation that would segment parts of the U.S. grid into safe havens devoid of digital entry points.

The legislation, introduced in June by members of the Senate Select Committee on Intelligence, would establish a two-year pilot program at DOE's national laboratories to identify new security vulnerabilities in parts of the grid whose compromise could threaten public safety or national security. The $10 million program would support research and implementation of improved platforms, including "analog and non-digital control systems."

Patricia Hoffman, an assistant secretary of Energy, told Congress on July 12 that DOE supports the bill's goals. Although many power companies conduct vulnerability assessments, "there still may be a gap where the DOE national laboratories should partner with industry" in that regard, she told the Senate Energy and Natural Resources Committee's Energy Subcommittee.

Hoffman advised lawmakers to use the legislation to strengthen the Electricity Sub-Sector Coordinating Council, a government/industry forum for bolstering grid security. ESCC works with the Electricity Information Sharing and Analysis Center (E-ISAC), a hub for disseminating cyberthreat information to the utility industry.

Duane Highley, CEO of the Arkansas Electric Cooperative Corp., told lawmakers E-ISAC needed fine-tuning.

"It's working well, but it could work even better," he said. "We would like to see stronger communications and more timely information flowing from government."

Reg Harnish, a cybersecurity consultant with clients in the utility industry, told FCW that some organizations struggle to use cyberthreat intelligence from the government.

"Most organizations cannot act on intelligence no matter how relevant it is," said Harnish, CEO of GreyCastle Security. "In addition, threat intelligence is easily compromised by our adversaries generating digital 'noise.'"

Nonetheless, government officials are engaged in a two-pronged effort to brief utility executives on classified threats and more quickly declassify threat information for public consumption. The effectiveness of those initiatives will shape how prepared the utility industry is for a sophisticated cyberattack.

Meanwhile, threats to the grid continue to surface. Researchers at SentinelOne, an endpoint protection firm, recently uncovered potent malware targeting a European power company. The researchers believe the attack is backed by a nation-state.

About the Author

Sean Lyngaas is a former FCW staff writer.

Featured

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

  • Comment
    Blue Signage and logo of the U.S. Department of Veterans Affairs

    Doing digital differently at VA

    The Department of Veterans Affairs CIO explains why digital transformation is not optional.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.