Washington — A Department of Homeland Security official acknowledged that legal squabbles, rather than technical issues, could pose scenarios that force electric utilities to make a choice between national security and their corporate responsibilities.
Receive daily email alerts, subscriber notes & personalize your experience.Register Now
While the department is working with companies as well as lawmakers to mitigate those issues, change will not occur overnight, Christopher Krebs, director of DHS' Cybersecurity and Infrastructure Security Agency, said at the Edison Electric Institute's virtual leadership summit.
As the US' self-proclaimed risk advisor, CISA brings an entrepreneurial spirit to its work with industry partners, listening to utilities' needs and unique market demands to craft customer-centric, customer-driven and purpose-built solutions to the risks and concerns the power sector faces, Krebs said.
Among the agency's operational priorities are reducing the risk of Chinese supply chain compromises and reducing risk to industrial control systems. Threats include China, Russia and a few others' desire "to export their style of digital authoritarianism on a global scale," Krebs said.
Edison International President and CEO Pedro Pizarro, who moderated the conversation with Krebs, noted that the US utility sector has become increasingly dependent on the global supply chain for critical components, including supervisory control and data acquisition (SCADA) systems and transformers.
While supply chain risk is not new, it was catapulted into the national consciousness in 2020, Pizarro said, adding that vendor cyber risk mitigation is already underway through the issuance of the bulk power system executive order reining in foreign equipment procurement and the start of enforcement of new cybersecurity supply chain risk management protocols overseen by the North American Electric Reliability Corp.
"But the harder issues have been the legal ones rather than the technical ones," Pizarro said. "A classic example is that utilities may be supplying equipment for" open-ended vulnerability testing being conducted at the Idaho National Laboratory, for instance, "but they may be prohibited by their contracts with vendors from sharing the grid equipment that's in their systems currently. We can't share it with the government labs to be reverse engineered for vulnerabilities, per the contract."
Though language in the National Defense Authorization Act is attempting to address that issue, Pizarro asked Krebs whether more could be done to promote that type of sharing.
Krebs responded that CISA and the risk management community must broaden their audience and engagement to bring everyone into risk-management conversations. Then, this security-minded thinking will flow into the contract negotiations and legal arrangements made when making deals and purchases, but "this doesn't happen overnight," he asserted.
Current equipment and managed service provider contracts "might not give you the visibility or the audit rights that you would prefer if you really needed to go back and kind of check the tape to make sure that there wasn't any sort of nefarious activity being exploited by those trusted relationships," Krebs said.
He noted that CISA is helping to educate and build awareness of these threats, but "ultimately you out in industry are going to be the ones that make the decisions to change the behaviors and get that improved risk management posture."
Krebs also stressed the need for collaboration and cooperation. "No organization, no sector is going to be able to stand on your own against a dedicated adversary of a nation-state capability, so we've all got to work together," he said. In that regard, he said that helping out peers and lesser-resourced organizations will be key to maintaining grid security and facilitating knowledge transfer from what he called the haves to the have-nots.
Further, he said general counsels and outside counsel will be critical partners in "this community security concept and this umbrella approach to collective defense."
Pizarro agreed. A major legal hurdle with the potential to compromise national security, Pizarro said, was the current lack of liability protection for energy companies.
"We recognize that utilities are being asked and frankly have an obligation to support government in the interest of national security," he said. "But sometimes that means government might be requesting utilities to do something that they might not have the authority to do otherwise, creating liability for us."
The utility sector is pushing for legislation that would authorize the secretary of energy to afford such liability protection when a grid security emergency is declared.
Krebs said CISA was also working with Congress and was hopeful that "something meaningful and helpful [could get] across the finish line."
He added: "It's all about getting you the information you need, putting you in a position from an operational posture to be successful in managing risk to your networks and customers, but also being part of this national security team."