The Department of Energy on Tuesday launched a 100-day sprint to strengthen the cybersecurity of electric utilities’ industrial control systems (ICS) to protect operations from increasing cyber threats, part of the Biden administration’s initiative to bolster cyber protections for critical infrastructures.
The new pilot effort is a partnership between the DoE’s Office of Cybersecurity, Energy Security, and Emergency Response, the electric industry, and the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA).
“The United States faces a well-documented and increasing cyber threat from malicious actors seeking to disrupt the electricity Americans rely on to power our homes and businesses,” Energy Secretary Jennifer Granholm said in a statement. “It’s up to both government and industry to prevent possible harms. That’s why we’re working together to take these decisive measures so Americans can rely on a resilient, secure, and clean energy system.”
Under the 100-day plan industry can voluntarily deploy technologies to increase the visibility, detection, mitigation and forensic capabilities related to threats to their ICS and operational technology (OT) systems. The plan also has milestones for utilities to deploy technologies to improve their “near real time situational awareness and response capabilities” of ICS and OT systems, the DoE said.
“Adversarial nation-state actors are targeting our critical infrastructure, with increasing focus on the energy sector,” the department said in a Request for Information related to the 100-day sprint. “For example, the government of the People’s Republic of China is equipped and actively planning to undermine the electric power system in the United States. The growing prevalence of essential electric system equipment being sourced from China presents a significant threat, as Chinese law provides opportunities for China to identify and exploit vulnerabilities in Chinese-manufactured or supplied equipment that are used in U.S. critical infrastructure that rely on these sources.”
Participation by the private sector in the new cybersecurity initiative is voluntary and is built on partnerships with the federal government. The private sector owns and operates about 85 percent of the nation’s critical infrastructure.
“Public-private partnership is paramount to the administration’s efforts because protecting our nation’s critical infrastructure is a shared responsibility of the government and the owners and operators of that infrastructure,” Emily Horne, the spokeswoman for the White House National Security Council, said in a statement. “The 100-day plan includes aggressive but achievable milestones and will assist owners and operators as they modernize cybersecurity defenses, including enhancing, mitigation, and forensic capabilities.”
The new cybersecurity sprint is in line with DHS Secretary Alejandro Mayorkas’ plans for six department-led cyber sprints, which are focused on ransomware, the cyber workforce, ICS, the transportation sector, election security, and international efforts.
Acting CISA Director Brandon Wales said in a statement that the pilot effort with the energy sector will help with “work to secure industrial control systems across all sectors.”
When President Joe Biden entered office in January, he issued an executive order on the climate crisis that suspended a 2020 directive by then-President Donald Trump that led to the U.S. prohibiting some utilities from acquiring and installing bulk power system electric equipment manufactured in, or controlled by, China. Granholm revoked the suspension on Tuesday while the administration considers a replacement order.
The Request for Information issued by DoE seeks input from the energy sector, academia, research laboratories, government agencies and other stakeholders for better securing supply chains of U.S. energy systems while taking into consideration the needs of all stakeholders.
“To ensure that the department’s considerations for a replacement executive order appropriately balance national security, economic, and administrability considerations, the department is seeking information from electric utilities, academia, research laboratories, government agencies, and other stakeholders,” the RFI says.