'They've got to beat all of us;' federal officials call for collaboration on cybersecurity

Shoring up the US' energy systems from cyberthreats will require collaboration between industry and all levels of government, federal officials said Feb. 14.

All parties will need to use their available resources in the "most optimal fashion possible" to ensure a collective cybersecurity defense, said Chris Inglis, national cyber director who serves as a top cybersecurity adviser to President Joe Biden.

"Gone are the days ... where one of us would know enough to actually understand the totality of the threats, where one of us would have enough capacity, capability, authority to deal with that threat," Inglis said during the National Association of Regulatory Utility Commissioners' Winter Policy Summit. "We have to actually make it such that if a transgressor in this space wants to beat us, they've got to beat all of us."

On the cybersecurity front, the federal government needs to better support the private sector, given that the latter controls most of the cyber resources, Inglis said. The public and private sectors must determine how to collaborate and complement one another in the cyber realm as they do in the physical realm, the official said, adding that there is "further work to be done."

US Deputy Energy Secretary David Turk agreed that the government and industry need to be part of the solution, given vulnerabilities that can occur from cybersecurity breaches.

"If our weakest link goes down, then we're all in real trouble along those lines," Turk said.

Inglis highlighted last year's ransomware attack on Colonial Pipeline, during which a hacker accessed the company's information technology system housing customer, billing and other general purpose data after an employee clicked on a malicious link. The pipeline shut down for nearly a week as a result, causing gasoline and diesel price spikes, panic-buying and supply shortages across the Southeast and East Coast.

The official contended that solving this problem will require adequate cyber awareness and training for employees; installing the right technologies on the IT side to further mitigate risk, such as disabling active links in emails and enabling two-factor authentication; and a better understanding of how the OT side is built and more transparency into its supply chain.

"The weakest link in any of those things can hold us at common hazard," Inglis said. "This is simply an investment we must make. We should have no less of a doubt that cyber should be built into everything that we do. There's no magic bullet in that."

Supply chain concerns

In addition to cyberattacks on US energy systems, the industry is also concerned about bad actors manipulating infrastructure components. As a result, companies have grown increasingly concerned about the source of transformers and other equipment.

William Fehrman, president and CEO of Berkshire Hathaway Energy, said his company considers where its equipment is coming from, what risks the components might pose, and whether it might be beneficial to spend more money to source such resources from nations that have better relationships with the US than China.

While Berkshire Hathaway Energy used to make business decisions based on lowest costs, "today the decision that we present to you is really the lowest risk," Fehrman said.

"As we start deploying all of this on our systems, we have to make sure that in a case of execution by the adversaries that we have the capability of thwarting that," he said. "We are on the frontlines. We depend heavily on our government partners, but the fact of the matter is we're the ones who actually have to defend and respond."

Committed to visibility

About 150 electric utilities serving 90 million Americans and representing some of "the most critical of critical energy infrastructure companies" have committed to working with the Department of Energy to advance adoption of technologies that can provide greater visibility into networks that control system operations, Kate Marks, deputy assistant secretary of DOE's Office of Cybersecurity, Energy Security, and Emergency Response, said during a separate webinar Feb. 14 hosted by industrial cybersecurity firm Dragos.

The collaboration builds on Biden's industrial control systems national security memorandum, which last April kicked off a 100-day action plan to increase real-time information sharing, visibility, detection and response capabilities in electric sector OT networks.

The ICS cybersecurity initiative has since been extended beyond the electric sector to also include the natural gas pipeline sector.

Marks said DOE would be having conversations with state public utility commissioners at the NARUC summit as "they're going to be approving cybersecurity investments that many [energy companies] will need to be requesting."

Dragos CEO Robert Lee also homed in on the role public utility commissions will need to play in thwarting cyber threats.

"For so many of our members that are smaller, they do not have the same economic resources to go do anything, let alone special technologies when sometimes they're sharing an IT person across a couple of utilities," Lee said. "If we want to make change there, it's got to be the public utility commissions that look at what is a reasonable and just investment without platinum coating it and expecting the ratepayers to pay for it."