trending Market Intelligence /marketintelligence/en/news-insights/trending/qw7wlzycidb4lsa0bassva2 content esgSubNav
In This List

US Senate panel urged to hold off on additional cybersecurity rules

Podcast

Next in Tech | Episode 49: Carbon reduction in cloud

Blog

Using ESG Analysis to Support a Sustainable Future

Research

US utility commissioners: Who they are and how they impact regulation

Blog

Q&A: Datacenters: Energy Hogs or Sustainability Helpers?


US Senate panel urged to hold off on additional cybersecurity rules

Dragos Inc., the U.S. cybersecurity firm that identified the first-ever malware to target electric grids, recommended that the U.S. Senate wait on imposing new cybersecurity regulations on the energy sector.

At a U.S. Senate Committee on Energy and Natural Resources hearing March 1 on cybersecurity and critical energy infrastructure, Dragos Inc. founder and CEO Robert Lee recommended a three- to four-year pause on new cybersecurity standards from the North American Electric Reliability Corp., the nonprofit grid overseer for the continental U.S., most of Canada and Mexico's Baja California.

"This will allow companies to catch up under current regulations as well as identify the threat landscape before them and come up on their own best practices for the type of innovation that we need for the industry-specific networks," Lee said. His firm most notably publicly revealed CrashOverride, the first malware developed to attack the power grid, which was used in December 2016 by Russian government-backed hackers to take down three electricity distribution sites in Ukraine.

Lee also said the U.S. Department of Energy's new Office of Cybersecurity, Energy Security, and Emergency Response, or CESER, should take the lead in research and development efforts to eliminate agency overlap and work with industry experts to identify new threats. Energy Secretary Rick Perry on Feb. 14 announced the establishment of CESER, with an initial proposed budget of $96 million for fiscal year 2019. The new office will be led by a DOE assistant secretary as part of the Office of Electricity Delivery and Energy Reliability.

"This organization change will strengthen the department's role as the energy sector's specific agency for cybersecurity," Bruce Walker, head of the electricity delivery office, told the panel. Expanding on this, Walker said CESER will coordinate industry and government cybersecurity efforts for the energy sector, with a focus on early research and development activities to build the next generation of cybersecurity control systems, components and devices, including sharing time-critical data to detect, prevent and recover from cyberattacks.

Barbara Endicott-Popovsky, executive director of the University of Washington's Center for Information Assurance and Cybersecurity, told lawmakers not to overlook human error in cybersecurity. "There's no firewall for stupid," she said. "So it's going to require policies, procedures, awareness training that's going to really deal with that human element."

Endicott-Popovsky emphasized the need to establish educational standards and tackle a systematic talent deficit in the workforce. She likened the cybersecurity task ahead to the President John Kennedy's "moon shot" goal for NASA.

Turning to the wider implications and global risks at stake with government-sponsored cyberattacks, Endicott-Popovsky echoed previous warnings that cyberwar will result in Cold War-like mutually assured destruction. "Make no mistake, at some point we are going to need the equivalent of the Kennedy-Khrushchev-era red phone and nuclear disarmament talks [to avoid fatal miscalculations]," she said.

However, Endicott-Popovsky said national governments do not have the "appetite" to hash out and enforce a cybersecurity agreement right now.

William Sanders, a professor of engineering at the University of Illinois at Urbana-Champaign, noted the limits of current cybersecurity regulations amid growing use of smart meters, batteries and distributed renewable energy resources. "Much of the growth of the smart grid is on the distribution side, and much of the cybersecurity protections and resiliency that is put in place is in the bulk electric power grid," he said. "In fact, NERC and [Federal Energy Regulatory Commission] rules only apply to the bulk electric power grid side."

Sanders said the complex "architecture" of this smarter power grid requires more than outdated security solutions.