Nowhere is that more true than in critical infrastructure and the energy sector, where the perpetual need to keep the lights and power running has locked the industry into insecure technologies and network architectures that were developed decades ago.
Back in 2013, the Obama administration identified the energy sector as “uniquely critical due to the enabling functions they provide across all critical infrastructure sectors.” Meanwhile, state-backed and criminal hacking groups have gotten better, faster and more emboldened to target the networks and automated systems built on top of that infrastructure. Incidents such as the Colonial Pipeline ransomware attack have reinforced longstanding fears in government that even individual hacks can cause widespread supply chain disruptions and shortages.
Now, officials at the Department of Energy say they are looking to leverage billions of dollars in federal funding from the Bipartisan Infrastructure Law passed last year in a bid to replace and reshape much of the underlying technologies and processes that underpin our national power system.
“Any time you’re on the cusp of introducing new technology or on the cusp of significant spending [or] investing in infrastructure upgrades, that’s the time where you really want to think strategically,” Cheri Caddy, a senior advisor for cybersecurity policy and strategy at the Department of Energy, told SC Media in an interview. “How do I optimize my spending not just for efficiency…but use that occasion, that strategic opportunity to think about building secure?”
Caddy and other Energy officials have described the infrastructure law as a “once in a generation opportunity” to overhaul and modernize large swaths of the energy sector’s IT and cybersecurity. In order to do so, experts say the department and its cyber wing CESER (the Office of Cybersecurity, Energy Security and Emergency Response) will need to navigate a complex and competitive funding environment to ensure that states, local governments, private companies and utilities are following through on the strategy.
Cybersecurity competing with clean energy
Much of the public discussion from the White House and Congress around energy investments in the Bipartisan Infrastructure Law has been focused not around cybersecurity or IT but rather clean energy, developing technologies with greater energy efficiency and reducing the carbon footprint of a sector that the United Nations has classified as the largest contributor to greenhouse gas emissions in the world.
In January, President Joe Biden touted the benefits of the law to the energy sector, mentioning renewable energy labs in Colorado, new and upgraded power transmission lines and towers and wind energy. In February, he gave a speech in Ohio touting the law and how it “helps us invest in a cleaner, stronger, more resilient electric grid, with 100% clean electric energy being generated by the year 2035.” Neither speech made mention of technology or cybersecurity upgrades.
But the ground-level guidance the administration developed for state and local governments makes it clear that the White House sees billions of dollars in federal funding from the law that can be unlocked to make cybersecurity-specific upgrades to energy infrastructure.
According to a guidebook the administration released in January, the law sets aside at least $1.3 billion to fund cybersecurity resilience measures. It also includes $1 billion for state and local cybersecurity grants, $250 million for energy sector cyber research and development, $250 million for rural and municipal utility cyber and technical assistance, $100 million for a cyber response and recovery fund overseen by the Department of Homeland Security, and $50 million for energy sector cyber resilience support.
Beyond that, scores of individual project descriptions include specific language that allows the federal government or downstream recipients to use money allocated to grant funding for industrial research, port development and others for cybersecurity related purposes.
The spending on cybersecurity “is spread across multiple programs to strengthen cyber systems and defense against future attacks, including funding for State, Local, Tribal, and Territorial grants for the Federal Emergency Management Agency, cyber response and recovery, and Research & Development in cyber,” the guidebook states.
“We’re really looking to [ask] as we’re beginning to move all that infrastructure money and execute on it: how do we infuse security into those discussions?” said Caddy. “So, it’s less a specific technology or specific project that’s being advocated here but more how do we look across the board as we’re making investments across the department — at putting more renewables in place, at decarbonizing the grid, and updating outdated infrastructure. For any particular project that’s doing those things, let’s also put cybersecurity into the mix, into the qualifications, so we’re pursuing those multiple goals at once.”
Cybersecurity mistakes decades in the making
The status quo has been decades in the making, the product of multiple factors, including the energy sector’s historical prioritization on reliability and physical safety over cybersecurity, a lack of human expertise and the increased reliance on newer automated technologies that have opened up new attack surfaces within energy utilities for malicious hackers to exploit.
Malware designed to attack the machinery and networking that help to run modern essential services is still rare, but that’s starting to change. One of the latest examples happened in April, when cybersecurity firms Dragos and Mandiant announced they had discovered what is believed to be just the seventh piece of ICS-specific malware found in the wild, dubbed PIPEDREAM.
While there was no evidence the tool was deployed before it was discovered, researchers said it targeted programmable logic controllers made by Schneider Electric and Omron, was capable of disrupting, degrading or even destroying data and leveraged vulnerabilities that are inherent in many other commercial controllers. Mandiant compared it to some of the most dangerous malware known to target industrial control systems, such as Triton, Industroyer and Stuxnet.
Michael Dransfield, a senior technical executive for control systems cybersecurity at the NSA, said earlier this month that his agency is “seeing more and more capabilities that are available either open source or being developed by our adversaries” specifically designed to target critical infrastructure and industrial control systems.
That’s in part because energy utilities, like other sectors, are facing a shortage of workers who understand both cybersecurity and the technical and business realities of operating critical infrastructure. While modernization of the underlying technology is one component of the plan for safer energy, any effective strategy for creating more secure electrical grids and other energy assets will need to account for the lack of human expertise that is increasingly being replaced with digital, remote systems.
“Back in 2003, you had operators who really didn’t understand the cybersecurity problem and you had cybersecurity individuals who really worked in the IT world, but did not really understand what operational technology or control systems were,” said Dransfield. “We’ve made progress bringing those two groups together [but] the problem is a lot of the … seasoned veterans who work in the operational technology world have retired, and so within the U.S. we have begun to rely more and more on automated control systems.”
Building security-native technologies and processes to better protect those systems is essential and need not conflict with broader goals around climate.
According to CESER Director Puesh Kumar, the plan is to ensure that as states and energy companies go about replacing their equipment, machinery and operational technology with more climate-friendly alternatives, they are also working to undo some of the early design mistakes that have plagued industry cybersecurity for decades. The department “is going to be investing over $62 billion over the next five- to 10 years in the U.S. energy sector and specifically the electric grid, and so this is the time to do it.”
“From my vantage point, we honestly have a strategic opportunity like we’ve never had before. We’re seeing this revolution of particularly clean energy systems that are going to be coming online and we have an opportunity to actually build in cybersecurity rather than trying to bolt it on that we’ve done in so many other sectors, including the energy sector, for too long,” said Kumar in July during an online event hosted by Nozomi Networks.
Navigating the bureaucratic maze
With cybersecurity, the best laid plans set out by any government or industry are largely dependent on the ability to wrangle and persuade other stakeholders.
Governments can regulate but don’t own most of the infrastructure or make any of the underlying technologies. Private industry can innovate and has the money, but has historically lacked the financial incentives to do so. Utilities often lack access to cybersecurity-specific funding and have a duty to keep operations running that complicate any widespread modernization plans.
Trevor Rudolph, vice president for global digital public policy at Schneider Electric, told SC Media that while federal dollars can help with some of the biggest challenges to energy modernization, they wouldn't address other core issues — like service continuity — that are often the biggest roadblocks to modernization at scale.
“A lot of the systems and infrastructure that Energy is talking about, there is zero tolerance for downtime. Utilities are having to deal with the challenge where, yes, they want to upgrade, yes they want to replace certain systems but they can’t afford even a second of downtime with their existing infrastructure,” said Rudolph, who also worked as chief of the cyber and national security unit at the Office of Management and Budget.
Then there is the question of follow through. Rudolph said the process of getting that funding down to different stakeholders in the energy industry and used for cybersecurity specific investments is “more complicated” than anything he experienced while in government. Energy’s statutory authority to tell owners and operators what to do when prioritizing upgrades is “tenuous at best.” The money from the infrastructure law will flow down to states, local governments, utilities, and other stakeholders, often in the form of grant funding that can be spent in a variety of different ways. That means that in some cases, those entities must voluntarily follow through on the federal government’s plans.
There is already evidence of a split between Democrats and Republicans over how much control the White House and executive branch can wield over the money that will be spent by states and utilities.
In February, Senate Majority Leader Mitch McConnell, R-Ky., and Sen. Shelley Moore Capito, R-W.Va., sent a letter to governors around the country urging them to ignore the Biden administration’s guidance on how to utilize funding from the infrastructure law on road and highway investments, saying a December 2021 memorandum from the Federal Highway Administration outlining how states should allocate spending “attempts to implement a wish list of policies not reflected” in the law.
Congress wrote the law to give states and localities ample flexibility to spend those dollars how they see fit and the senators stressed that guidance from the executive branch is not legally binding unless it’s backed up in the letter of the law. The administration’s guidance “is an internal document, has no effect of law, and states should treat it as such,” McConnell and Capito wrote.
One area where that flexibility could ultimately benefit cybersecurity is around the “Buy America” provisions in the law.
Heath Knakmuhs, vice president and policy counsel of the Global Energy Institute at the U.S. Chamber of Commerce, noted that money allocated to buy and install new climate-friendly parts and components within energy infrastructure may conflict with the law’s requirements that utilities buy domestically manufactured products. There is also still considerable uncertainty about how the administration intends to issue waivers that allow companies and utilities to bypass those rules. The Chamber and 11 other organizations have submitted at least 46 questions to OMB regarding how the “Buy America” provisions will be implemented.
With the way climate supply chains are set up, it may conflict with the law’s broader Buy America rules, said Knakmuhs in an interview. If that money can’t be used for climate, it may wind up going to other priorities including cybersecurity.
“Because a lot of those components that are necessary for solar and inverters and even in wind turbine technology and critical minerals … required for batteries and other modern technologies are all from overseas for the most part,” he said. “The Buy American guidance in that is probably the most impactful tool on the cyber side quite honestly. It is going to depend on how they interpret it, where do they like to grant waivers, where do they like not to grant waivers.”
The project is expected to take a decade if not more, but officials at Energy believe it represents a singular chance to shore up the resilience of one of the most vital sectors in American society. Climate and green energy still appear to be the clear spending priorities for the administration, but officials at CESER say there is no reason that the sector can’t take advantage of the law to solve some of its other most enduring problems at the same time.
“You have a lot of these trends coming together to make this an optimal point in time, and now of course with the infrastructure bill we’re beginning to make those investments,” said Caddy. "So [the question is] how do we use the occasion of having a once-in-a-generation opportunity to invest, to get more efficient from an economic standpoint, but also efficient from renewables and green technology standpoint, and also build secure? We can do all of these things together.”