While the number of cyber and physical attacks on the U.S. energy grid have did not increased noticeably in the first half of 2021, system officials are still on high alert for attacks launched by nation-state operatives and other U.S. cyber adversaries, a new report said.
Massive cyber operations, such as the SolarWinds Orion and the Colonial Pipeline attacks “underscore a need for increased vigilance,” and a necessity to develop “countermeasures” to both prevent and recover from cyber aggression, the North American Electric Reliability Corp. (NERC), a power grid regulator, said in its 2021 Reliability Risk Priorities Report. An umbrella organization, the Electric Reliability Organization (ERO) Enterprise, is composed of NERC and the six regional power grid operations located throughout the country.
Despite a number of high profile attacks and attempts, the electric grid didn’t lose any output as resulting from cyber offensives in 2020, according to the report. Still, such is the potential for damaging attacks and other risks to the nation’s power grid that the report’s release data was moved up to August, 2021 to afford the industry with more time to plan and budget to mitigate risks, officials said. Typically the report is produced every two years.
“Security is at the heart of our operations, and one of the highest priority items right next to changing resource mix,” John Moura, NERC director of reliability assessment and performance analysis, told the Wall Street Journal. “Unlike weather or some of our other risks, this is much more difficult to manage,” he said. “The persistence that we’ve seen and the level of sophistication more recently, especially with SolarWinds at the end of the last year, really highlighted the capability of the threat actors.”
MSSPs and MSPs: Protecting the Power Grid
Why should MSSPs and MSPs engaging with power grid clients care about NERC’s report? The power grid has become a favored target of nation-state cyber operatives. The report offers deep insight into how the industry views potential threats and what it is doing to prevent and mitigate them should any adversarial hits find their targets.
Power grid operations are vulnerable to cyber attacks from insider threats, poor cyber hygiene, supply-chain considerations, and dramatic transformation of the grid’s operational and technological environment, according to the report. Additional areas of concern related to cyber security risks are include:
- Potential for increasing cyber attacks across all sectors has increased; for example, the SolarWinds and Colonial pipeline attacks accentuate supply chain vulnerabilities as well as threats from both foreign actors and domestic adversaries.
- Artificial intelligence and machine learning can also be used as tools that cyber criminals employ.
- The potential trend toward virtualization and the housing of critical systems in the cloud could expose the electric industry to additional risks for which industry must both account for and plan.
- Supply chains are a targeted opportunity for nation-state, terrorists, and criminals to penetrate organizations without regard to whether the purchase is for information technology, operational technology, software, firmware, hardware, equipment, components, and/or services.
U.S. Federal Government Cybersecurity Strategy and Milestones
NERC’s increasing attention to cybersecurity mirrors a series of actions by the Biden administration. Here are some:
- Infrastructure bill. In early August 2021, the $1 trillion infrastructure currently in Congress set aside nearly $2 billion in cybersecurity funds. The money is designated to help the U.S. shore up its critical infrastructure against cyber attacks, allocates funds to help state and local governments fortify defenses, fleshes out funding for the brand new National Cyber Director’s office and covers other areas of commitment and concern. If the bill achieves Congressional and President Biden’s approval, then MSSPs, MSPs and MDR service providers are certain to be influenced by the bill’s contents in customer engagements. Winners could include security service providers that work with state and local government agencies.
- Mandatory security directive. In May 2021, the Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) issued its first ever mandatory security directive aimed at shoring up the nation’s oil and gas pipelines to repel cyber attacks. The order will require critical pipeline owners and operators to report confirmed and potential cybersecurity incidents to the DHS’ Cybersecurity and Infrastructure Security Agency (CISA).
- Mandatory standards. Also in May 2021, support for legislation that would set mandatory standards to secure pipelines picked up an important advocate in Energy Secretary Jennifer Granholm, who backed the idea in remarks before a House Committee on Energy and Commerce Subcommittee hearing. The regulations could require MSSPs to adjust their cybersecurity packaging and service level agreements in the energy sector.
- Collaborations. In April 2021, federal government agencies and private industry kicked off a collaboration to safeguard the United States power grid, the Department of Energy (DOE) said. The 100-day initiative aims to encourage power plants and electric utilities owners and operators to upgrade their cyber tools to identify cyber threats to their networks.
- Fixing vulnerabilities. In March 2021, a Government Account Office special report called out the U.S. electrical grid’s distribution systems, which carry electricity from transmission systems to consumers, for its vulnerability to cyber attacks that could result in extensive power outages.
- New bills. House lawmakers have previously passed three bills that would require the DOE to test products and serves intend for use in the bulk power system; direct the agency to encourage public/private sector partnerships to address security risks of electric utilities; and, appoint a Senate-confirmed lead tasked with protecting the nation’s energy and electric power systems.
