How cyber info sharing helps keep the lights on

Public-private cyber threat information sharing is critical to keeping the lights on, representatives of the electricity sector told members of Congress.

During a lengthy hearing on the industry's response to cyber threats, members of the Energy and Power Subcommittee of the House Energy and Commerce Committee repeatedly asked panelists from industry what Congress can or should do to help the industry protect against cyberattacks.

Panelists said that the electricity sector continues to improve its resistance and resilience to cyberattacks, and a key component of that is information sharing.

They told members that the 2015 Fixing America's Surface Transportation Act provided a great deal of clarity for the industry on how to respond to an attack, and the industry isn't looking for anything revolutionary out of Congress right now.

"Legislatively, the framework, we feel comfortable with," Gerry Cauley, 
president and CEO of the North American Reliability Corporation told FCW after the hearing.

He said that there is a strong culture of information sharing in the electricity sector and that industry is largely satisfied with structures such as the Cybersecurity Risk Information Sharing Program and other mechanisms for sharing information with the Department of Homeland Security, the FBI and the Department of Energy.

"We're more interested in continuity in the new administration to make sure we're able to continue building off that," he said.

He and other panelists said that the government must find ways to better share classified cyber threat data with industry and that the government can do more to ensure the confidentiality of data shared by industry.

"Continuing to knock down barriers to information sharing, I think, supporting industry efforts with research and development and … looking at creating the next generation of cyber professionals are all really important roles that industry and government can play together," said Scott Aaronson, executive director of security and business continuity at the Edison Electric Institute after the hearing.

While panelists said that the electricity sector is more protected and resilient than other infrastructure sectors, they said the threat vectors only continue to increase with the proliferation of new technologies and devices such as smart thermostats, refrigerators or other internet-of-things devices.

"One such example is the strong push to update distribution networks through the installation of smart meters, which have the potential to be remotely accessed by adversaries," Chris Beck, chief scientist and vice president for policy with the Electric Infrastructure Security Council, said in his written testimony. "This could provide a new cyberattack path to the distribution utility." He also warned that the global supply chain for hardware and software is another growing threat vector.

Panelists warned that while there are steps government can take, such as working on cybersecurity standards for devices, it must not constrain the electricity industry.

"As flexible and risk based as our standards are, I firmly believe that we cannot win a cyber war with regulations and standards alone," Cauley said. "Industry must be agile and continuously adapt to threats."