Skip Navigation

CISA urges affected organizations to take action in response to exploitation of SolarWinds software

December 14, 2020

by Paul Ciampoli
APPA News Director
December 14, 2020

The Cybersecurity and Infrastructure Security Agency (CISA) on Dec. 13 said that it is aware of active exploitation of a vulnerability in versions of the SolarWinds Orion Platform software.

Versions 2019.4 through 2020.2.1 of the software were released between March 2020 through June 2020.

CISA, which falls under the purview of the Department of Homeland Security (DHS), is encouraging affected organizations to read SolarWinds and FireEye advisories for more information and FireEye’s GitHub page for detection countermeasures. FireEye is a cybersecurity firm.

In its security advisory, SolarWinds said it was made aware that its systems “experienced a highly sophisticated, manual supply chain attack” on SolarWinds Orion Platform software builds.

“We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack,” SolarWinds said.

In the security advisory, SolarWinds offers several steps for parties to take related to use of the SolarWinds Orion Platform.

Meanwhile, DHS on Dec. 13 said that the relevant SolarWinds Orion products are currently being exploited by malicious actors. This tactic permits an attacker to gain access to network traffic management systems, DHS said. Disconnecting affected devices is the only known mitigation measure currently available, it said.

DHS said that CISA has determined that this exploitation of SolarWinds products poses an unacceptable risk to federal civilian executive branch agencies and requires emergency action.

This determination is based on: (1) Current exploitation of affected products and their widespread use to monitor traffic on major federal network systems; (2) High potential for a compromise of agency information systems; and (3) Grave impact of a successful compromise.

“CISA understands that the vendor is working to provide updated software patches. However, agencies must wait until CISA provides further guidance before using any forthcoming patches to reinstall the SolarWinds Orion software in their enterprise,” DHS said.

ESCC

“The electric power industry takes all vulnerabilities and threats to the energy grid and our supply chains very seriously, including the latest SolarWinds Orion Platform vulnerability that cuts across many sectors,” the CEO-led Electricity Subsector Coordinating Council (ESCC) said in a Dec. 14 statement.

The ESCC “is highly engaged and already has conducted a situational awareness call on this threat,” the ESCC said.

The North American Electric Reliability Corporation’s Electricity Information Sharing and Analysis Center (E-ISAC) also has provided potential indicators of compromise and other technical data that electric companies, public power utilities, electric cooperatives, and independent power producers in North America are utilizing to run comprehensive diagnostics of their systems to identify and to remediate any threat exposure, the ESCC noted.

“This information sharing is representative of the strong industry-government partnership that the ESCC embodies and is vital to guarding the energy grid from all possible threats,” the ESCC said.

Public power utilities should follow the guidance from the E-ISAC “as well as the Cybersecurity and Infrastructure Security Agency (CISA) as this situation unfolds,” said Sam Rozenberg, CPP and Director of Security and Resilience at the American Public Power Association.

Questions related to this development can be directed to: Cybersecurity@PublicPower.org.

Cybersecurity in and for Large Energy Transmission Projects

December 1, 2020

by Nina Terp
POWER Magazine
December 1, 2020

Read story here: https://view.imirus.com/427/document/13466/page/29

 

APPA highlights public power initiatives aimed at bolstering cybersecurity

November 5, 2020

by Paul Ciampoli
APPA News Director
November 5, 2020

Responding to a recent report issued by Moody’s Investors Service, the American Public Power Association on Nov. 5 highlighted a variety of initiatives that APPA and public power utilities have undertaken to bolster cybersecurity.

In the Nov. 4 report, “Cybersecurity readiness depends on scale, business model and generation ownership,” Moody’s said that in order to see how well electric utilities are prepared to defend themselves from cyberattacks, it conducted a survey of global electric utilities and power companies from March through September of this year.

“The results reflect key differences across what is otherwise a largely homogeneous sector. All observations in this report are based on our survey results and do not represent a definitive assessment of cybersecurity readiness,” the rating agency noted.

Among other things, the report asserts that very large utilities exhibit better cyber governance, and risk management practices, than midsize and small utilities.

At the same time, Moody’s noted that not-for-profit utilities with total assets of less than $10 billion are more likely to have stand-alone cyber insurance “and derive greater coverage value from their policy than similarly sized, regulated peers.”

“Cybersecurity is a journey, not a destination and requires ongoing risk mitigation,” said Joy Ditto, President and CEO of APPA. “Public power utilities are constantly looking to up their grid security game and are doing so in a variety of ways,” she said.

“Every public power utility is different, and each takes a risk-based approach to grid security, which includes evaluating threats. They invest appropriately in personnel and measures to meet local needs and protect their varied assets and information,” she said.

Ditto noted that the Department of Energy (DOE) has recognized the importance of not-for-profit utilities investing in deploying solutions to cyber and cyber-physical threats. The DOE recently awarded $6 million to APPA to continue to develop operational technology (OT) solutions for its members.

In addition, many APPA members don’t have SCADA (industrial control) systems, which means that their OT systems are not susceptible to cyber-tampering.

GridEx

Public power utilities also regularly exercise their incident response plans.

GridEx, which takes place every two years, allows utilities, government partners and other critical infrastructure participants to engage with local and regional first responders, exercise cross-sector impacts, improve unity of messages and communication, identify lessons learned and engage senior leadership.

The 2019 GridEx, which occurred in November 2019, marked the fifth such exercise. Public power participation increased 47%, from GridEx IV in 2017 to GridEx V.

APPA is encouraging its members to sign up for GridEx VI early and to participate, either as an active participant, or just to observe.

APPA’s RP3 survey includes questions about cybersecurity

In addition, APPA’s questions for its Reliable Public Power Provider (RP3) program includes several that touch upon cybersecurity.

APPA’s RP3 program recognizes utilities that demonstrate high proficiency in reliability, safety, workforce development, and system improvement. Utilities keep the RP3 designation for three years.

Alex Hofmann, APPA’s Vice President for Technical and Operations Services, noted that the RP3 questions on cybersecurity serve as a proxy for a comprehensive cybersecurity survey and are reviewed by the 18 member RP3 panel.

The 114 designated RP3 utilities in 2019 answered as follows to these cybersecurity-related questions:

Definition of utilities

The report defines the following types of utilities as responding to the survey:

Regulated Utilities

Unregulated Utilities

Not-for-profit Utilities

“This breakdown and the associated dataset do not tell a clear picture for several reasons,” said Sam Rozenberg, APPA’s Director of Security and Resilience.

For example, he pointed out that some municipal utilities fall into the state-owned bucket and many public power electric utilities fall into the regulated bucket, including those that are required to comply with North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) requirements.

Meanwhile, Rozenberg pointed out that, when determining a cybersecurity posture, public power utilities use a risk-based approach and therefore threats are taken into account when it comes to cybersecurity.

“Throughout the report, the data presented is intermixed to show the picture that government-owned utilities are weaker, without mentioning the threat level difference between them and larger utilities,” he said.

Rozenberg also noted that the report is based on an international survey of 115 utilities, but said it is unclear how many of the nation’s more than 2,000 public power utilities participated.

While 71 of the 115 surveyed utilities are “American,” the universe of U.S. electric utilities is more than 3,000, he noted.

Power sector keeps close eye on physical, cybersecurity in lead up to elections

October 28, 2020

by Paul Ciampoli
APPA News Director
October 28, 2020

The power sector is keeping a close watch on potential threats to physical security and cybersecurity from international and domestic actors in the lead up to next week’s elections in the U.S.

A number of electric utilities including public power utilities recently participated in an Electricity Subsector Coordinating Council call related briefing from the Federal Bureau of Investigation, two peer utilities, as well as the E-ISAC. The FBI has set up a command center to monitor potential civil unrest related to the elections.

Meanwhile, the North American Electric Reliability Corporation’s Electricity Information Sharing and Analysis Center (E-ISAC) on Oct. 27 released an All-Points Bulletin (APB) on Electricity Industry Preparedness for 2020 U.S. Election.

The E-ISAC routinely monitors all threats to the grid and provides alerts to industry as needed when new or continuing threats emerge.

In its bulletin, the E-ISAC noted that the power industry has undertaken weeks of preparation and analysis and collaboration with federal, state and local partners to ensure continuity of operations during the U.S. election cycle.

“At this time, the E-ISAC is not aware of any known specific or credible threats to the North American electric grid in conjunction with the election,” the E-ISAC said, noting that the bulletin is being shared to raise awareness and promote preparedness during the election.

Also, the E-ISAC has coordinated with the Elections Infrastructure-ISAC and the Department of Homeland Security’s Cybersecurity Infrastructure and Security Agency over the last two months to provide awareness and produced a 2020 Election Threat Awareness and Preparedness White Paper and Executive Summary, which offers an overview of the industry-specific threat and mitigation measures. Additionally, CISA has created a Rumor Control webpage, that will be constantly updated to help the general public understand what is fact and fiction with regards to misinformation efforts by foreign or domestic groups.

In terms of relevant resources provided by the American Public Power Association, APPA’s All-Hazards Guidebook helps public power utilities, joint action agencies, state associations, and other industry representatives in the development or continuous improvement of emergency preparedness programs and all-hazards planning efforts. As utilities prepare for potential civil unrest, the guidance in this resource may be helpful.

APPA encourages its members to coordinate with local, state and federal law enforcement, before any potential physical or cybersecurity incident, to ensure a rapid and coordinated response. For information on how to connect with your local FBI or CISA representatives, please email Cybersecurity@PublicPower.org.

DOE awards $12 million to APPA, NRECA for cybersecurity solutions

September 25, 2020

by Peter Maloney
APPA News
September 25, 2020

The Department of Energy has announced $12 million in cooperative agreements with the American Public Power Association (APPA) and the National Rural Electric Cooperative Association (NRECA) to develop and deploy solutions to cyber and cyber-physical threats.

The cooperative agreement funding, which comes through the DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER), allocates $6 million to each organization.

APPA will work alongside CESER’s Cybersecurity for Energy Delivery Systems division, which carries out CESER’s research and development function, and the National Energy Technology Laboratory, which will develop and demonstrate the final cyber and cyber-physical solutions that are slated to be deployed to utilities by 2023.

“Grid security is a journey, not a destination,” said APPA President and CEO Joy Ditto. “This funding from DOE-CESER will provide us with critical resources to continue to navigate this journey. Developing and enhancing tools to assist public power and co-ops in protecting critical infrastructure will ultimately benefit the entire industry.”

Solutions developed and deployed under this cooperative agreement will help provide utilities with hardware, firmware and/or software to protect the key operational technology components that enable the safe control of the physical systems that deliver electric power.

According to a press release from CESER, “The solutions will detect and respond to adversarial activity through community-led information sharing; use artificial intelligence to reduce false positives in threat detection; provide advanced analytics for pinpointing when and where a system was compromised; increase system resilience, and employ autonomous defense at remote endpoints.”

“Our goal here is to utilize our unique capability as a national convener of public power utilities, working with our members and other organizations, to help develop, demonstrate, and deploy cybersecurity solutions,” Alex Hofmann, APPA’s vice president of technical and operations services, said.

CESER was established in February 2018 with $96 million in funding aimed at bolstering the DOE’s cybersecurity and energy security efforts.

This cooperative agreement, which is focused on defense of operational technology, is separate from, but builds on, a cooperative agreement APPA entered into with the DOE in 2016 to develop a culture of cybersecurity within public power. That partnership, called Cybersecurity for Energy Delivery Systems, or CEDS, resulted in several public power-specific resources, including the Public Power Cybersecurity Scorecard, the Public Power Cybersecurity Roadmap and the Public Power Incidence Response Playbook.

Utilities can find additional information and resources on the CEDS program on our website.

FERC issues NOI on threats from equipment sourced from foreign adversaries

September 21, 2020

by Peter Maloney
APPA News
September 21, 2020

The Federal Energy Regulatory Commission (FERC) is seeking comments on the potential risks to the bulk electric system posed by equipment and services produced or provided by entities identified as risks to national security.

The Notice of Inquiry (NOI), docket # RM20-19-000, also seeks comments on whether or not the current Critical Infrastructure Protection (CIP) reliability standards adequately mitigate the identified risks and on what possible actions the commission could consider taking to address the risks. The NOI is also seeking comment on the extent to which equipment and services provided by such entities are used in the operation of the bulk electric system.

Since October 2018 when FERC issued Order 850, which approved the existing CIP reliability standards on supply chain risk management, there have been significant developments in the form of Executive Orders, legislation, as well as federal agency actions that raise concerns over the potential risks posed by the use of equipment and services provided by certain entities identified as risks to national security, the NOI says.

In particular, Huawei Technologies Company and ZTE Corporation “have been identified as examples of such certain entities because they provide communication systems and other equipment and services that are critical to bulk electric system reliability,” the NOI said.

The NOI says both entities have close ties to the Chinese government at both the ownership and employee level. In addition, under Chinese law, both entities have obligations that permit Chinese government entities, including state intelligence agencies, to demand that private communications sector entities cooperate with governmental requests, including revealing customer information and network traffic information.

And while there are many manufacturers of networking and telecommunications equipment, Huawei and ZTE are “gaining substantial shares of the market globally,” the NOI says, adding that systems are also vulnerable to Huawei and ZTE components embedded in equipment produced by unaffiliated vendors. That raises the probability that electric utilities now use “a significant amount” of telecommunications equipment with embedded components from Huawei and ZTE, the NOI says.

“If these obscured, or potentially unlabeled, components are present in an electric utility’s infrastructure, the same risks may exist as if the hardware had been purchased directly from Huawei, ZTE or one of its subsidiaries,” the NOI says.

The NOI cited Executive Order 13,873, which directs the Secretary of Commerce to identify equipment from a foreign adversary that has the potential for sabotage.

Executive Order 13,920, issued May 1, 2020, declared a national emergency in that foreign adversaries are increasingly creating and exploiting vulnerabilities in the bulk power system, including substations, generating stations and control rooms, and that unrestricted foreign supply of equipment constitutes a threat to national security. The order also created a Task Force on Federal Energy Infrastructure Procurement Policies Related to National Security, chaired by the Secretary of Energy.

In June 2020, the Federal Communications Commission issued orders designated Huawei and ZTE as national security threats to the integrity of communications networks and the communications supply chain.

Comments on the NOI are due 60 days after publication in the Federal Register, and reply comments are due 90 days after publication in the Federal Register.

Joint FERC-NERC report outlines best cyber security practices

September 21, 2020

by Peter Maloney
APPA News
September 21, 2020

Staff of the Federal Energy Regulatory Commission (FERC) and the North American Electricity Reliability Corporation (NERC) have published a report detailing utility best practices for response and recovery from cyber attacks.

The report, Cyber Planning for Response and Recovery Study (CYPRES), was developed based on interviews with subject matter experts from eight electric utilities of varying size and function. The report includes the joint staffs’ observations on the utilities’ defensive capabilities and the effectiveness of their incident response and recovery (IRR) plans.

The report identifies common elements among the incident response and recovery plans, including the definition and scope of a cyber incident, the roles and responsibilities of staff, reporting requirements and guidelines for external communication, as well as procedures to evaluate performance in the wake of an attack.

While acknowledging that there is no single best incident response and recovery plan model, the FERC/NERC team identified best practices that utilities should consider when developing their IRR plans.

Specifically, an effective incident response and recovery plan should:

Among other observations, the report found that well defined roles and responsibilities became clearer to participants after participating in exercises, such as NERC’s Grid Security Exercise (GridEx), to test their response and recovery plans. Many participants in the report said they modified their incident response and recovery plans after completing the GridEx process.

GridEx, which takes place every two years, allows utilities, government partners and other critical infrastructure participants to engage with local and regional first responders, exercise cross-sector impacts, improve unity of effort messages and communication, identify lessons learned and engage senior leadership.

The most recent GridEx occurred in 2019. In 2017, 53 public power entities participated in GridEx, while in 2019, 100 public power entities participated.

Meanwhile, some participants in the report also noted that virtualization is a useful tool. Virtualization uses software to operate as if it were an actual physical device. Virtualizing hardware allows one physical device to house many virtual devices, reducing hardware and real estate costs.

And, because a virtualized device can be easily saved and restored, it can save hours of work when a software glitch occurs. In the same way, if a cyber attack were to require the reinstallation of a new machine, virtualization would make the restoration process less costly and time consuming.

The report concludes that an “effective IRR plans can mitigate the natural advantages that cyber attackers possess.” Because cyber attackers operate covertly, “effective IRR plans should be in place and response teams should be prepared to detect, contain, and, when appropriate, eradicate the cyber threat before it can impact the utility’s operations.”

APPA says cybersecurity incentive program is not needed, could hike transmission costs

September 4, 2020

by Paul Ciampoli
APPA News Director
September 4, 2020

An incentive program for cybersecurity investments outlined in a recent Federal Energy Regulatory Commission staff White Paper is not needed to encourage investment in cybersecurity measures and could lead to investment that raises transmission costs for customers without providing meaningful cybersecurity benefits in return, the American Public Power Association recently said.

APPA on Aug. 17 submitted comments at FERC in response to the White Paper, which proposed a new framework for providing transmission incentives to utilities for cybersecurity investments. FERC staff cited “the evolving and increasing threats to the cybersecurity of the electric grid” as the impetus for the Cybersecurity Incentives Policy white paper (Docket No. AD20-19-000).

APPA said that it recognizes that today’s electric grid faces increasing cybersecurity risks, adding that it appreciates FERC staff’s efforts to evaluate how the Commission might facilitate utility investment that could mitigate these risks.

“APPA respectfully submits, however, that the incentive program outlined in the White Paper is not needed to promote prudent public utility investment in cybersecurity measures,” the trade group said.

“On the contrary if adopted, the White Paper framework could result in investment that raises transmission costs for customers without providing meaningful cybersecurity benefits in return,” APPA said.

APPA sees several threshold problems

APPA said that there are several threshold problems with the incentive approaches described in the White Paper.

First, neither generic application of North American Electric Reliability Corporation (NERC) critical infrastructure protection (CIP) reliability standard requirements to lower impact Bulk Electric System (BES) cyber systems that are not currently subject to those requirements, nor broad adoption of National Institute of Standards and Technology (NIST) framework security controls “would necessarily result in a meaningful increase in cybersecurity, as the White Paper appears to assume,” APPA said.

“This is not to say that use of these approaches in certain circumstances would not have cybersecurity benefits, but APPA questions the assumption that widespread adoption of these approaches as contemplated in the White Paper would be a cost-effective way of achieving meaningful cybersecurity outcomes.”

Second, APPA argued that even in circumstances where more robust cybersecurity investment might be beneficial, new incentives or cost recovery mechanisms should not be necessary to promote it.

It said that the record from a March 2019 technical conference convened by the Commission and the Department of Energy strongly supports this conclusion. “Awarding incentives where they are not needed would contravene longstanding requirements for just and reasonable incentive rates,” APPA said.

Moreover, as the White Paper notes, it is not clear that incentives – particularly the proposed 200 basis point return on equity adder – would prompt utilities to make the investments that the White Paper describes, APPA told FERC.

“This lack of response would not be a problem to the extent that investments would not have substantially reduced cybersecurity risk, but if the Commission’s goal is to revise its policies to encourage prudent and cost-effective cybersecurity investment, ROE adders may not be an effective way to accomplish the goal.”

Rising transmission costs

APPA said that FERC must be cognizant of the fact that customers continue to incur rising transmission costs. 

While the trade group supports prudent expenditures to help secure the transmission system against cyber threats, it said that rate incentives that are unnecessary or even counter-productive will needlessly increase customer costs without providing commensurate consumer benefits. 

Unjustified incentives could be particularly problematic for public power utilities, many of which are dependent on public utilities for transmission service, APPA pointed out.  The costs of incentives paid by public power utilities in their transmission rates might be on top of infrastructure security costs incurred by public power utilities on their own systems to guard against growing cyber risks, it said.

APPA says FERC should adopt changes if it moves forward with White Paper proposal

If FERC decides to move forward with the White Paper proposal, it should adopt a number of changes and clarifications, APPA said.

Specifically, APPA argued that applicants under either of the two incentive approaches described in the Whiter Paper should be required to demonstrate how the investments will directly result in significant cybersecurity benefits for Commission-jurisdictional transmission facilities, with reference to quantifiable metrics for the expected enhanced cybersecurity benefits. 

APPA took issue with the White Paper’s proposal to presume that extending the application of CIP reliability standards to lower impact BES cyber systems will result in significant benefits.

In addition, an entity seeking an incentive should be required to show that there is at least a rational relationship between each incentive sought and the decision to invest in the project, consistent with the requirements of just and reasonable incentive rates.

APPA offered a number of other suggested changes including:

Reply comments

In reply comments filed on Sept. 1 at FERC in the proceeding, APPA said that if the Commission ultimately proceeds with an incentive program for cybersecurity investments, it should not accept calls to expand the program beyond the framework described in the White Paper.

FERC staff correctly recognizes that an incentive framework must include an approach for identifying the cybersecurity investments that FERC seeks to incentivize, APPA said.

An incentive program that allows utilities to request incentives for any activity or investment that provides a benefit to the reliability and security of the transmission system, or that allegedly constitutes an application of the NIST Framework, “does not clearly identify which investments are eligible for incentives.”

Such an approach would increase the likelihood that utilities would seek incentives for routine cybersecurity measures that are simply good utility practice, and it would exacerbate the already considerable challenges that would be presented in trying to assess “compliance” with the NIST framework under the White Paper’s proposal, APPA argued.

APPA went on to note that incentives under Federal Power Act section 219 are limited to those that promote investments in transmission facilities or technologies.

However, a number of commenters in the proceeding argued that the Commission should require transmission customers to fund incentives for enterprise-wide cybersecurity investments, or even cybersecurity expenditures by merchant generators.

“The commenters urging such broad eligibility for transmission incentives make no effort to reconcile their positions with the text of FPA section 219, even though the White Paper specifically requested input on this issue.”

Even if section 219 were not limited to incentives that promote transmission investment, cost causation principles would preclude requiring transmission customers under cost-based rates to subsidize cybersecurity investments benefitting other corporate businesses or functions, APPA said.

Protecting criticial energy infrastructure: Q&A with CISA’s Harrell

August 21, 2020

by Paul Ciampoli
APPA News Director
August 21, 2020

A Q&A with Brian Harrell, Assistant Director for Infrastructure Security at the Cybersecurity and Infrastructure Security Agency, Department of Homeland Security. Harrell submitted these responses in August 2020. On August 20, 2020, he announced that he will be resigning from CISA.  

How can the Cybersecurity and Infrastructure Security Agency help public power utilities on the cybersecurity front? What resources are available to public power utilities?

Headshot of Brian Harrell

CISA is in a unique position because we are able to work with our critical infrastructure partners by bringing together an array of solutions across every sector, whether we are adopting new technology ourselves, helping our stakeholders securely adopt new technology, or in some cases looking at how our adversaries are adopting and utilizing new technological developments. Our goal is to help those that own and operate our Nation’s infrastructure understand and manage the risks they face. In these efforts, CISA works hand in hand with the critical infrastructure community by offering a number of voluntary programs, services and products, including: cybersecurity risk management and resilience services and tools; technical assistance upon request; and expanded information sharing capabilities to improve situational awareness of threats, vulnerabilities, incidents, mitigation, and recovery actions.

CISA also provides a number of partnership engagement opportunities that are free to all critical infrastructure owners and operators. For example, the Industrial Control Systems Joint Working Group (ICSJWG), which is led by CISA, supports information sharing and risk reduction to the Nation’s industrial control systems (ICS) through enhanced collaboration between the Federal Government and private owners and operators of industrial control systems across all critical infrastructure sectors. Many energy sector representatives have been longstanding members of the ICSJWG and we continue to find ways to innovate and strengthen the community.

For additional information on the various resources CISA provides to our critical infrastructure partners, including the electric sector, we encourage you to visit our website – CISA.gov.

Do you have any real-world examples of how CISA has successfully worked with a public power utility?

There has been a longstanding and strong relationship of collaboration and cooperation between CISA and the electricity sector, and our important partnership has continued to evolve over the years. For example, in 2018 we saw a multi-stage intrusion campaign led by Russian government cyber actors who targeted multiple critical infrastructure sectors, including the energy sector. Through an extensive collaboration effort across industry and government, we were able to release an alert providing critical infrastructure owners and operators information on observed tactics, techniques and procedures related to the threat. The alert also provided actionable mitigation techniques. Following the alert, CISA hosted a series of webinars for our partners, providing additional information on how to further reduce their exposure.

To give you just one more example on CISA’s collaboration with the electricity sector, on December 23, 2015, a campaign led by Russian government cyber actors caused power outages to three Ukrainian power companies, leaving nearly a quarter-million customers without power. CISA and the federal government partnered with the Electricity Information Sharing and Analysis Center (E-ISAC) and sent a team to Ukraine to help the impacted entities recover from the attack and implement mitigation techniques.

Together, we’ve also established effective partnership mechanisms, including the Tri-Sector Executive Working Group and the E-ISAC. The Tri-Sector Executive Working Group was chartered under the Critical Infrastructure Partnership Advisory Council (CIPAC) in 2018, with representatives with the financial services, electricity subsector and communication sectors. The working group is designed to facilitate and integrate a collaborative approach to risk management and address sector-specific capability gaps, cross-sector strategic challenges, and resilience during significant events affecting critical infrastructure. The long-term goal of the working group is to serve as a model for strategic coordination and establish a framework for operational collaboration that can be expanded to other critical infrastructure sectors. As I mentioned, the E-ISAC is a great example of how utility companies are working to secure their infrastructure across the sector. Two-way sharing of information on cyber threats and vulnerabilities between the private and public sector will enable us to continually take the advantage to the defender and apply costs to our adversaries.

How would you characterize the power sector’s response to the pandemic since March?

CISA assistant director Brian Harrell meets with APPA staff
Brian Harrell (right), with Giacomo Wray (left) and Nathan Mitchell (center) from the American Public Power Association at a meeting in January 2019.

The COVID-19 pandemic has shown that when strong relationships and information-sharing capabilities are already in place by the time a crisis begins, services to the American people can continue unabated. Throughout the pandemic, utilities have shown their readiness and ability to respond to the challenge and they should be commended for their work to keep our nation’s electricity reliable during these unprecedented times.

When COVID-19 began to spread across our country, CISA quickly stepped up to help our critical infrastructure partners decrease impacts and the degrading of their services by leveraging our agency’s analytic capabilities and partnership mechanisms to develop risk management guidance for essential infrastructure workers. While earlier versions of CISA’s guidance were primarily intended to help officials and organizations identify essential work functions in order to allow them access to their workplaces during times of community restrictions, Version 4.0, which we just recently released, identifies those essential workers that require specialized risk management strategies to ensure that they can work safely. As we look ahead, and as the virus continues to take hold across the international community, it is imperative that we continue to work together across sectors to improve the security and resilience of our vital systems and functions. Through our collective defense measures, I believe that we will come out more secure and resilient than we were before the onset of this virus.

How would you characterize the current cybersecurity threat environment facing the electric utility industry? What are the key positive steps that the power sector has taken to boost cybersecurity, and are there any additional steps the industry can take?

Securing our nation’s critical infrastructure is a vast and complex endeavor. The convergence of information technology (IT) and operational technology (OT), and the expansion of internet-connected people, places and things creates an expanded attack surface. OT is an attractive target for those who wish us harm because critical infrastructure functionality, reliability, security, and safety depends so heavily on OT. Together, these factors make securing these digital networks increasingly difficult. In addition, cyber threat actors — including nation states — continue to demonstrate their willingness to conduct malicious cyber activity against critical infrastructure by exploiting internet-accessible OT assets. To combat against this threat, CISA and our partners at the National Security Agency recently issued an advisory to provide network defenders with recently observed tactics and recommendations for reducing cyber risk exposure across OT systems.

While these risks are significant, companies have risen to the occasion and have taken several positive steps to manage these risks.  For example, through established information sharing mechanisms, companies are detecting compromises sooner. Companies are also adopting more rigorous cybersecurity standards for their OT and IT environments. In addition to these important steps, we’ve seen organizations place a greater emphasis on the adoption of sound software development, acquisition processes and practices.

The energy sector has also been involved in a full spectrum of cyber exercise planning workshops and seminars designed to assist organizations at all levels in the development and testing of cybersecurity prevention, protection, mitigation, and response capabilities. For example, the North American Electric Reliability Corporation (NERC) hosts a Grid Security Exercise (GridEx) every two years, and it is an outstanding example of the public-private partnership. Through our agency’s participation in GridEx we’ve witnessed utility companies demonstrate how they would respond to and recover from cyber and physical security threats and incidents, strengthen their crisis communications relationships, and provide input for lessons learned. Only by continuing to proactively test our plans and processes and following up on these lessons learned will we strengthen the country’s critical infrastructure security and resilience.

In addition to these cyber exercises, through the Energy Sector Pathfinder program, CISA, along with our interagency partners, is working collaboratively to strengthen the U.S. government’s ability to identify cyber threats to the energy sector and respond effectively. As the nation’s risk advisor, CISA will leverage the lessons learned within the program to improve public-private collaboration across all critical infrastructure sectors and functions. CISA also intends to utilize the Pathfinder program to continue to improve incident response procedures and protocols with our government and industry partners.

How will CISA’s recently released strategy to strengthen and unify industrial control systems cybersecurity affect the power sector? Will electric utilities need to take actions in response to the strategy?

CISA has collaborated extensively with our interagency and industry partners to create an ICS initiative that will unify various stovepipe efforts, move to a more proactive approach, and ultimately strengthen cybersecurity. The ICS Strategy, which was released in July, describes where we want to go in ICS security. It also stresses that we cannot get there alone.

Through the strategy, we define a path forward that will integrate previously segmented cybersecurity capabilities, move CISA and the ICS community toward a more proactive risk posture, and ultimately strengthen the nation’s cybersecurity capabilities.  

Through the implementation of the strategy, CISA aims to form deeper partnerships with the energy sector and the electricity subsector. We are specifically concerned with the energy sector because the electric grid remains a critical lifeline sector and the backbone of our country’s infrastructure. With such pervasive critical infrastructure dependencies on electricity, the cascading effects of a successful cyber-attack remains of deep concern. Due to this reality, we are calling on greater contributions from the ICS community, while ensuring CISA delivers more value in return. The ICS community can radically amplify ICS risk-management capabilities and shape joint security investments that shift the cybersecurity paradigm by combining their collective security resources and expertise. Through the development of these shared capabilities, asset owners and operators can better defend themselves. CISA remains committed to continuing to provide and improve our current ICS security products and services, and we will prioritize development of ICS community-driven solutions.

To find out more information on how the strategy aims to help the ICS community achieve collective security, I encourage you to visit CISA.gov/ics

Is there anything else you would like to add?  

When it comes to making an organization cyber resilient, in today’s environment the stakes are increasing, and the decisions are challenging. In addition, a cyber-attack on any organization can often result in substantial financial and reputation loss for a business. Due to this reality, CISA is calling on greater input from C-suite executives. It is imperative for CEOs and senior-level managers to be engaged in the cybersecurity decisions being made across their company. Without the support of an organization’s leadership, it is impossible for cybersecurity leaders to effectively plan for and defend against these threats. I can’t stress enough that cybersecurity is no longer just an IT issue. It’s an enterprise risk management issue. C-suite level executives must work hand in hand with technical network defenders. 

NSA, CISA Urge Critical Infrastructure Owners And Operators To Secure OT Assets

July 27, 2020

by Paul Ciampoli
APPA News Director
Posted July 27, 2020

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) recently issued an alert in which they said it is critical that asset owners and operators of critical infrastructure take immediate steps to secure their operational technology (OT) assets.

The NSA and CISA said that over recent months, cyber actors have demonstrated their continued willingness to conduct malicious cyber activity against critical infrastructure (CI) by exploiting internet-accessible operational technology OT assets.

“Due to the increase in adversary capabilities and activity, the criticality to U.S. national security and way of life, and the vulnerability of OT systems, civilian infrastructure makes attractive targets for foreign powers attempting to do harm to U.S. interests or retaliate for perceived U.S. aggression,” the July 23 alert noted.

OT assets are critical to the Department of Defense mission and underpin essential National Security Systems and services, as well as the Defense Industrial Base and other critical infrastructure, the alert said.

The agencies said that at this time of heightened tensions, it is critical that asset owners and operators of critical infrastructure take immediate steps to ensure resilience and safety of U.S. systems “should a time of crisis emerge in the near term.”

The NSA and CISA are recommending that all Department of Defense, National Security Systems, Defense Industrial Base and U.S. critical infrastructure facilities take immediate actions to secure their OT assets.

The alert notes that internet-accessible OT assets are becoming more prevalent across the 16 U.S. critical infrastructure sectors “as companies increase remote operations and monitoring, accommodate a decentralized workforce, and expand outsourcing of key skill areas such as instrumentation and control, OT asset management/maintenance, and in some cases, process operations and maintenance.”

The alert details recently observed tactics, techniques, and procedures, as well as impacts.

It also outlines the following mitigation strategies:

* Have a Resilience Plan for OT
* Exercise your Incident Response Plan
* Harden Your Network
* Create an Accurate “As-operated” OT Network Map Immediately
* Understand and Evaluate Cyber-risk on “As-operated” OT Assets
* Implement a Continuous and Vigilant System Monitoring Program

Additional details are available here.