Responding to a recent general global uptick in attacks on utilities and industrial control systems, and in particular the SolarWinds breach of 2020, the Biden administration has announced a 100-day plan aimed at rapid improvement of US power grid cybersecurity.
The administration made reference to “bold” moves and laid out some of its general proposals, but the complete plan — including many specifics that will be vital to government vendors — has yet to be released to the public.
Summarizing what we know about the 100-day plan
The 100-day plan is to be headed up by the U.S. Department of Energy (DOE), an announcement that has been somewhat controversial among cybersecurity experts. However, the Cybersecurity and Infrastructure Security Agency (CISA) will be a “partner agency” that coordinates with the DOE along with at least several other government agencies.
The private utility companies will also be looped in, with the primary focus on shoring up the defenses of industrial control systems (ICS) of the energy sector. Secretary of Energy Jennifer M. Granholm said of the plan: “The United States faces a well-documented and increasing cyber threat from malicious actors seeking to disrupt the electricity Americans rely on to power our homes and businesses … It’s up to both government and industry to prevent possible harms—that’s why we’re working together to take these decisive measures so Americans can rely on a resilient, secure, and clean energy system.”
One of the announced goals for the 100-day plan is to ” … (encourage) owners and operators to implement measures or technology that enhance their detection, mitigation, and forensic capabilities.” Previous statements about the plan have indicated that this will happen via some sort of economic incentive, but it is still not clear exactly what form that will take. The government is soliciting responses from electric utility companies until June 7.
Other initial goals of the 100-day plan include establishing milestones for the deployment of real-time response capabilities in critical industrial systems, enhancing the cybersecurity posture of IT networks, and creating a voluntary system to encourage members of industry to improve government insight into possible threats in industrial and operational systems.
The overall purpose of the 100-day plan appears to be to establish a roadmap for increased government-private partnership on power grid cybersecurity matters, but the materials released to the public so far give little insight as to what specific critical vulnerabilities the government wants to prioritize. One long-standing issue for the private sector is that much of the government’s threat intelligence is classified.
Another issue that remains unclear is specific government guidance in terms of security requirements for hardware and third-party software, something that federal regulations do not currently cover. Vendor compromise is part of the initial focus of the 100-day plan, due no doubt to it being at the center of the SolarWinds and Microsoft Exchange breaches that hit government agencies.
Matt Sanders, Director of Security at LogRhythm, believes that any power grid cybersecurity program will not end up being truly effective unless the standards proposed cease to be “voluntary” for industry partners: “The 100-day plan from The U.S. Department of Energy and the Cybersecurity and Infrastructure Security Agency (CISA) currently calls the industry effort to deploy technologies to secure industrial control system (ICS) and operational technology (OT) voluntary, which may hurt its effectiveness. Over the past 20 years, industrial control systems have largely neglected operational technology and operational risk by air gapping data to compensate for deficiencies in network security and physically isolating platforms from unsecured networks. Any organization leveraging technology to enable operations for critical infrastructure needs to ensure proper protection protocols are established, ranging from threat detection, preventative controls and response controls to quickly thwart and identify potential catastrophes. Lagging detection and alerts can result in a disaster if controls or data are obtained by domestic or foreign adversaries.”
Concrete power grid cybersecurity improvements still shaping up
While much of the initial announcement dealt in general concepts rather than specific standards, the government did make at least one move to assist private industry. A national security order from late 2020 that banned the purchase of bulk-power systems for critical defense systems has been lifted, something done in response to industry criticism that grid security was not adequately addressed by the administration’s recently-announced infrastructure plan.
Further concrete steps to shore up power grid cybersecurity will likely be delayed until industry members have their chance to weigh in during the initial 100-day plan. The government has announced that it is going forward with an executive order addressing federal cybersecurity in the interim, however. The order was first reported on in March and is expected to be focused on supply chain security, possibly creating new requirements for government contractors. An early draft indicates that this might include new software security standards and a requirement that federal inspectors be allowed to access specific endpoints considered critical to national security. Initial reporting expected the order to come sometime in April, but there is still no clear timeframe.
Bryson Bort, CEO of SCYTHE, also points out that the power grid cybersecurity plan may force industry partners to review and replace hardware: “The reinstatement of EO 13920 clarifies that DOE will not include adversarial nations in the consideration for critical infrastructure technology and security.”
Though the United States has yet to suffer a physical attack that compromises power grid cybersecurity, foreign actors (most notably Russia) have been probing defenses and attempting to establish long-term access for years. There is also some amount of domestic threat, as evidenced by two recent attacks on water utilities. A February attack on the water supply of Oldsmar, FL, which leveraged an outdated remote access system that remained present on the network, is still under investigation. A more recent attempted hack of the water supply system of a Kansas town is thought to be the work of a disgruntled former employee.
At the moment, the initial 100-day plan is shaping up to be a confusing period for vendors who are now hearing that they need to protect private networks from advanced nation-state threats but have yet to receive precise details as to how to do that. ICS systems already generally conform to National Institute of Standards and Technology (NIST) and North American Electric Reliability Corporation (NERC) standards, and receive regular advisories from the Department of Homeland Security and other federal agencies, so some in the industry may be left wondering exactly what more the White House expects them to do to shore up power grid cybersecurity.