Protecting criticial energy infrastructure: Q&A with CISA’s Harrell

August 21, 2020

by Paul Ciampoli
APPA News Director
August 21, 2020

A Q&A with Brian Harrell, Assistant Director for Infrastructure Security at the Cybersecurity and Infrastructure Security Agency, Department of Homeland Security. Harrell submitted these responses in August 2020. On August 20, 2020, he announced that he will be resigning from CISA.  

How can the Cybersecurity and Infrastructure Security Agency help public power utilities on the cybersecurity front? What resources are available to public power utilities?

CISA is in a unique position because we are able to work with our critical infrastructure partners by bringing together an array of solutions across every sector, whether we are adopting new technology ourselves, helping our stakeholders securely adopt new technology, or in some cases looking at how our adversaries are adopting and utilizing new technological developments. Our goal is to help those that own and operate our Nation’s infrastructure understand and manage the risks they face. In these efforts, CISA works hand in hand with the critical infrastructure community by offering a number of voluntary programs, services and products, including: cybersecurity risk management and resilience services and tools; technical assistance upon request; and expanded information sharing capabilities to improve situational awareness of threats, vulnerabilities, incidents, mitigation, and recovery actions.

CISA also provides a number of partnership engagement opportunities that are free to all critical infrastructure owners and operators. For example, the Industrial Control Systems Joint Working Group (ICSJWG), which is led by CISA, supports information sharing and risk reduction to the Nation’s industrial control systems (ICS) through enhanced collaboration between the Federal Government and private owners and operators of industrial control systems across all critical infrastructure sectors. Many energy sector representatives have been longstanding members of the ICSJWG and we continue to find ways to innovate and strengthen the community.

For additional information on the various resources CISA provides to our critical infrastructure partners, including the electric sector, we encourage you to visit our website – CISA.gov.

Do you have any real-world examples of how CISA has successfully worked with a public power utility?

There has been a longstanding and strong relationship of collaboration and cooperation between CISA and the electricity sector, and our important partnership has continued to evolve over the years. For example, in 2018 we saw a multi-stage intrusion campaign led by Russian government cyber actors who targeted multiple critical infrastructure sectors, including the energy sector. Through an extensive collaboration effort across industry and government, we were able to release an alert providing critical infrastructure owners and operators information on observed tactics, techniques and procedures related to the threat. The alert also provided actionable mitigation techniques. Following the alert, CISA hosted a series of webinars for our partners, providing additional information on how to further reduce their exposure.

To give you just one more example on CISA’s collaboration with the electricity sector, on December 23, 2015, a campaign led by Russian government cyber actors caused power outages to three Ukrainian power companies, leaving nearly a quarter-million customers without power. CISA and the federal government partnered with the Electricity Information Sharing and Analysis Center (E-ISAC) and sent a team to Ukraine to help the impacted entities recover from the attack and implement mitigation techniques.

Together, we’ve also established effective partnership mechanisms, including the Tri-Sector Executive Working Group and the E-ISAC. The Tri-Sector Executive Working Group was chartered under the Critical Infrastructure Partnership Advisory Council (CIPAC) in 2018, with representatives with the financial services, electricity subsector and communication sectors. The working group is designed to facilitate and integrate a collaborative approach to risk management and address sector-specific capability gaps, cross-sector strategic challenges, and resilience during significant events affecting critical infrastructure. The long-term goal of the working group is to serve as a model for strategic coordination and establish a framework for operational collaboration that can be expanded to other critical infrastructure sectors. As I mentioned, the E-ISAC is a great example of how utility companies are working to secure their infrastructure across the sector. Two-way sharing of information on cyber threats and vulnerabilities between the private and public sector will enable us to continually take the advantage to the defender and apply costs to our adversaries.

How would you characterize the power sector’s response to the pandemic since March?

The COVID-19 pandemic has shown that when strong relationships and information-sharing capabilities are already in place by the time a crisis begins, services to the American people can continue unabated. Throughout the pandemic, utilities have shown their readiness and ability to respond to the challenge and they should be commended for their work to keep our nation’s electricity reliable during these unprecedented times.

When COVID-19 began to spread across our country, CISA quickly stepped up to help our critical infrastructure partners decrease impacts and the degrading of their services by leveraging our agency’s analytic capabilities and partnership mechanisms to develop risk management guidance for essential infrastructure workers. While earlier versions of CISA’s guidance were primarily intended to help officials and organizations identify essential work functions in order to allow them access to their workplaces during times of community restrictions, Version 4.0, which we just recently released, identifies those essential workers that require specialized risk management strategies to ensure that they can work safely. As we look ahead, and as the virus continues to take hold across the international community, it is imperative that we continue to work together across sectors to improve the security and resilience of our vital systems and functions. Through our collective defense measures, I believe that we will come out more secure and resilient than we were before the onset of this virus.

How would you characterize the current cybersecurity threat environment facing the electric utility industry? What are the key positive steps that the power sector has taken to boost cybersecurity, and are there any additional steps the industry can take?

Securing our nation’s critical infrastructure is a vast and complex endeavor. The convergence of information technology (IT) and operational technology (OT), and the expansion of internet-connected people, places and things creates an expanded attack surface. OT is an attractive target for those who wish us harm because critical infrastructure functionality, reliability, security, and safety depends so heavily on OT. Together, these factors make securing these digital networks increasingly difficult. In addition, cyber threat actors — including nation states — continue to demonstrate their willingness to conduct malicious cyber activity against critical infrastructure by exploiting internet-accessible OT assets. To combat against this threat, CISA and our partners at the National Security Agency recently issued an advisory to provide network defenders with recently observed tactics and recommendations for reducing cyber risk exposure across OT systems.

While these risks are significant, companies have risen to the occasion and have taken several positive steps to manage these risks.  For example, through established information sharing mechanisms, companies are detecting compromises sooner. Companies are also adopting more rigorous cybersecurity standards for their OT and IT environments. In addition to these important steps, we’ve seen organizations place a greater emphasis on the adoption of sound software development, acquisition processes and practices.

The energy sector has also been involved in a full spectrum of cyber exercise planning workshops and seminars designed to assist organizations at all levels in the development and testing of cybersecurity prevention, protection, mitigation, and response capabilities. For example, the North American Electric Reliability Corporation (NERC) hosts a Grid Security Exercise (GridEx) every two years, and it is an outstanding example of the public-private partnership. Through our agency’s participation in GridEx we’ve witnessed utility companies demonstrate how they would respond to and recover from cyber and physical security threats and incidents, strengthen their crisis communications relationships, and provide input for lessons learned. Only by continuing to proactively test our plans and processes and following up on these lessons learned will we strengthen the country’s critical infrastructure security and resilience.

In addition to these cyber exercises, through the Energy Sector Pathfinder program, CISA, along with our interagency partners, is working collaboratively to strengthen the U.S. government’s ability to identify cyber threats to the energy sector and respond effectively. As the nation’s risk advisor, CISA will leverage the lessons learned within the program to improve public-private collaboration across all critical infrastructure sectors and functions. CISA also intends to utilize the Pathfinder program to continue to improve incident response procedures and protocols with our government and industry partners.

How will CISA’s recently released strategy to strengthen and unify industrial control systems cybersecurity affect the power sector? Will electric utilities need to take actions in response to the strategy?

CISA has collaborated extensively with our interagency and industry partners to create an ICS initiative that will unify various stovepipe efforts, move to a more proactive approach, and ultimately strengthen cybersecurity. The ICS Strategy, which was released in July, describes where we want to go in ICS security. It also stresses that we cannot get there alone.

Through the strategy, we define a path forward that will integrate previously segmented cybersecurity capabilities, move CISA and the ICS community toward a more proactive risk posture, and ultimately strengthen the nation’s cybersecurity capabilities.  

Through the implementation of the strategy, CISA aims to form deeper partnerships with the energy sector and the electricity subsector. We are specifically concerned with the energy sector because the electric grid remains a critical lifeline sector and the backbone of our country’s infrastructure. With such pervasive critical infrastructure dependencies on electricity, the cascading effects of a successful cyber-attack remains of deep concern. Due to this reality, we are calling on greater contributions from the ICS community, while ensuring CISA delivers more value in return. The ICS community can radically amplify ICS risk-management capabilities and shape joint security investments that shift the cybersecurity paradigm by combining their collective security resources and expertise. Through the development of these shared capabilities, asset owners and operators can better defend themselves. CISA remains committed to continuing to provide and improve our current ICS security products and services, and we will prioritize development of ICS community-driven solutions.

To find out more information on how the strategy aims to help the ICS community achieve collective security, I encourage you to visit CISA.gov/ics

Is there anything else you would like to add?  

When it comes to making an organization cyber resilient, in today’s environment the stakes are increasing, and the decisions are challenging. In addition, a cyber-attack on any organization can often result in substantial financial and reputation loss for a business. Due to this reality, CISA is calling on greater input from C-suite executives. It is imperative for CEOs and senior-level managers to be engaged in the cybersecurity decisions being made across their company. Without the support of an organization’s leadership, it is impossible for cybersecurity leaders to effectively plan for and defend against these threats. I can’t stress enough that cybersecurity is no longer just an IT issue. It’s an enterprise risk management issue. C-suite level executives must work hand in hand with technical network defenders.