DOE wants $15 million more for securing the grid

The Obama administration wants to put another $15 million toward bolstering the physical and cybersecurity of the country's electricity grid. The funding, if approved by Congress, would concentrate on community-owned utilities and electricity cooperatives, which generally have less money to spend on cybersecurity than bigger, investor-owned utilities.

The money would be distributed over three years and support programs run by two groups that represent local utilities: the American Public Power Association and the National Rural Electric Cooperative Association. The work would include developing security tools and training programs to improve security culture for APPA and NRECA members, the Energy Department said in a news release.

"An example of a weak point for us is the varied nature of the electricity sector," Deputy Energy Secretary Elizabeth Sherwood-Randall said July 12 at a Bloomberg Government event. "We have major investor-owned utilities with significant resources; we also have smaller utilities."

She added that the government and the utility industry had learned a great deal from the cyberattack that hit the Ukrainian electricity grid in December, which plunged some 225,000 people into darkness. Some analysts have blamed the attack on Russia, and the hack influenced proposed legislation that would segment parts of the U.S. grid into safe havens devoid of digital entry points.

The legislation, introduced in June by members of the Senate Select Committee on Intelligence, would establish a two-year pilot program at DOE's national laboratories to identify new security vulnerabilities in parts of the grid whose compromise could threaten public safety or national security. The $10 million program would support research and implementation of improved platforms, including "analog and non-digital control systems."

Patricia Hoffman, an assistant secretary of Energy, told Congress on July 12 that DOE supports the bill's goals. Although many power companies conduct vulnerability assessments, "there still may be a gap where the DOE national laboratories should partner with industry" in that regard, she told the Senate Energy and Natural Resources Committee's Energy Subcommittee.

Hoffman advised lawmakers to use the legislation to strengthen the Electricity Sub-Sector Coordinating Council, a government/industry forum for bolstering grid security. ESCC works with the Electricity Information Sharing and Analysis Center (E-ISAC), a hub for disseminating cyberthreat information to the utility industry.

Duane Highley, CEO of the Arkansas Electric Cooperative Corp., told lawmakers E-ISAC needed fine-tuning.

"It's working well, but it could work even better," he said. "We would like to see stronger communications and more timely information flowing from government."

Reg Harnish, a cybersecurity consultant with clients in the utility industry, told FCW that some organizations struggle to use cyberthreat intelligence from the government.

"Most organizations cannot act on intelligence no matter how relevant it is," said Harnish, CEO of GreyCastle Security. "In addition, threat intelligence is easily compromised by our adversaries generating digital 'noise.'"

Nonetheless, government officials are engaged in a two-pronged effort to brief utility executives on classified threats and more quickly declassify threat information for public consumption. The effectiveness of those initiatives will shape how prepared the utility industry is for a sophisticated cyberattack.

Meanwhile, threats to the grid continue to surface. Researchers at SentinelOne, an endpoint protection firm, recently uncovered potent malware targeting a European power company. The researchers believe the attack is backed by a nation-state.