University unites industry, gov to tighten energy sector cybersecurity

Two professors at Rice University in Houston recently launched a program to bring together cybersecurity professionals, advocates from the local energy community, government and academia to discuss how to protect the nation's power plants from cyberattack.

Chris Bronk and Dan Wallach kicked off the multiyear program about six months ago because they recognized stakeholders from the public and private sector were not cooperating to protect the computer networks supporting the nation's critical infrastructure, creating a dangerous situation. Because numerous power companies operate in Texas, the two professors decided to focus first on the energy sector.

"We need to get people together and talking about the problem," said Wallach, who teaches in the university's computer science department and specializes in security issues. "All of these companies just want their infrastructures to work, and they want to compete on the assumption that security is not a problem. They all benefit from working together to help address this challenge, because government can't just prescribe a solution."

In November, Dale Meyerrose, vice president for cyber and information assurance at Harris Corp. and former chief information officer for the Office of the Director of National Intelligence, spoke to representatives from the energy industry at the university about securing networks without sacrificing the ability to share information and intelligence.

In October, university officials heard from security professionals at AT&T and the trash and waste removal company Waste Management Inc. Rep. Michael McCaul, R-Texas, co-chairman of the Commission on Cybersecurity for the 44th Presidency and a member of the House Homeland Security Committee, spoke about the need for stronger partnerships. "The important thing is to engage personalities in the cyber domain, everyone from a congressman to the security [official] from the largest trash hauling company in the United States," said Bronk, who is a fellow at Rice's Baker Institute for Public Policy.

After McCaul spoke, officials from power companies who were in attendance, realized they should send a message to Congress about what the industry views as realistic in strengthening cybersecurity in their businesses. "There's a concern among these companies that there will be a disconnect between the reality of their industry and what government propagates in terms of regulations," Bronk said. "That legislation will throw down goals and objectives that are not technically feasible."

Wallach and Bronk plan to develop a private wiki for cybersecurity professionals and policymakers from the energy industry to "collect aggregate knowledge and create an institutional memory that everyone can draw on," Wallach said.

Bronk previously worked at the State Department's Office of eDiplomacy, where he helped launch Diplopedia, a wiki to enable employees located all over the globe to securely exchange information. "The good intelligence is not going to just come from government," he said. "We want to figure out how to help government, industry and academic people share ideas in a space that may not be for everyone, but is useful, accessible and adaptable."

Federal law enforcement officials are interested in participating in the program, and the professors said they plan to engage the Homeland Security Department. Some neighboring universities also have agreed to contribute their expertise in cyber forensics and criminal justice to the dialogue.

If the program is successful, the community will organize themselves and respond when a cyberattack occurs, and it will serve as a model for other industries to follow such as the health care and transportation sectors, Bronk and Wallach said. Both emphasized, however, that the program is in its early stages of development.

"We're just at the beginning of what can be a very long process," Wallach said. "If we get to a point where everyone is getting along and knows where there is work to be done, we hope to come up with policy objectives. But industry, government and academia are on the same page."