Washington — To protect US energy systems from a continuous barrage of cyberattacks, policymakers and industry players are homing in on a non-digital defense system: improving people's awareness and changing the way they think about cybersecurity.
Receive daily email alerts, subscriber notes & personalize your experience.Register Now
As attackers change their targets and strategies, addressing the human element of cyberrisks is essential, according to US Federal Energy Regulatory Commission member Neil Chatterjee.
"You can have all of the best and fanciest equipment and the best threat intelligence, but if the employees in your organization don't adhere to basic cybersecurity practices, like not clicking on suspicious links, then all that work is for naught," Chatterjee said. "This kind of focus on basic what I call cyber hygiene is something we are going to need to ingrain into ourselves as a society as we become more connected and therefore more vulnerable to cyber threats."
Bruce Walker, assistant secretary for the US Department of Energy's Office of Electricity, said cyber threats to the energy sector were long focused on the information technology side of the industry, but attention has increasingly turned to operational technology. The IT side includes digital communication, data and other material that is connected to the internet in some capacity. The operation technology side has the systems that manage the movement of electrons through the grid and molecules through pipelines.
Even with more attention going towards operational technology, the techniques being used by hackers are often the same in trying to find an entry point into the system, Walker said. This has kept an emphasis on educating power sector employees and addressing the human element of risks to the grid.
DOE's Cybersecurity Capability Maturity Model program "gets into people not opening emails that are unknown and being a bit more sensitive to anything that could give anybody access to their systems," Walker said of the public-private partnership developed to aid big and small companies with evaluating, prioritizing and improving their cybersecurity capabilities.
At Southwest Power Pool, employee education and the type of shift in mindset that Chatterjee advocated are already in play. Employees are not only told about phishing but tested with programs to see if they would fall for schemes, according to Barbara Sugg, SPP's vice president of IT and chief security officer. "The concept of 'see something, say something' is prevalent here."
STAYING UP TO DATE
For companies and regulators alike, keeping up to date on the continuously evolving nature of cybersecurity is at the heart of defending against cyber threats.
To aid this effort, DOE established a distinct Office of Cybersecurity, Energy Security and Emergency Response, or CESER, to more acutely focus on near-term, actionable ways to mitigate threats to the grid. Walker is currently serving double duty as acting assistant secretary of CESER. Karen Evans, the national director for US Cyber Challenge, is awaiting US Senate confirmation to become the permanent head of the new office.
Information sharing can be a double-edged sword, however. There are "countless" information flows identifying cyber threats and so-called indicators of compromise, according to John Bryk, a cyber and physical threat intelligence analyst with the Downstream Natural Gas-Information Sharing and Analysis Center. The deluge of information can be challenging to sort through.
Cyber strategists and analysts have to be judicious with the parameters they set up to filter these feeds, striking a balance between winnowing down the information to find what is useful and inadvertently excluding relevant threats.
"You have to do an intel threat analysis and figure out what it really means to you and to the members [of your industry]," Bryk said. "Out of all those threats, all those billions of bits that come across every day, hopefully we are hitting the right one."
Scott Aaronson, vice president of security and preparedness at the Edison Electric Institute, noted that industry is using a risk matrix that allows all threats to be considered and approached differently. Industry squashes high-likelihood, low-consequence attacks on a daily basis from less sophisticated hackers' efforts to access the network.
But high-consequence, low-likelihood events involve near-peer nation-states and other advanced threat actors that necessitate partnering "really closely with the government," said Aaronson, who also serves as secretary for the Electricity Subsector Coordinating Council. The council is the main liaison between the federal government and power sector to help monitor threats, share information and prepare for potential future disruptions to the system.
"We do have to give that an awful lot of attention because at the end of the day our only responsibility as critical infrastructure providers is to provide a reliable product to support national and economic security," Aaronson said.
-- Jasmin Melvin, firstname.lastname@example.org
-- Sarah Smith, S&P Global Market Intelligence, email@example.com
This is the third feature in a three-part series on cyber security in the energy space. Read Part 1 here: Energy industry faces unprecedented cyber threats almost daily, and Part 2 here: With cyberattacks inevitable, energy sector focuses on response