The Electric Sector Cybersecurity Risk Management Maturity project, a federal program to find and contain gaps in the cyber security defenses protecting the nation's electric grid, will be headed by the Department of Energy (DOE), with assistance from the Department of Homeland Security (DHS) and the private sector. The program originated from a proposal from the White House.
“Establishing a comprehensive cyber security approach will give utility companies and grid operators another important tool to improve the grid's ability to respond to cybersecurity risks,” Chu said in news release last week.
Patrick Miller, president and CEO of the National Electric Sector Cybersecurity Organization, a nonprofit that supports organizations operating within the energy sector, said the DOE is the right choice to assess how the grid will behave, should there be an attack.
But the major issue asset owners still face is whom to contact for response when an attack occurs.
The DOE has limited regulatory authority and is more focused on research, he says. Currently, the Federal Energy Regulatory Commission (FERC) oversees the majority of system security standards, while the DHS, DOE and National Security Agency (NSA) also have oversight responsibilities.
In addition to the federal agencies with enforcement and reporting responsibilities, Miller said states also exert cyber security responsibility over infrastructure operations, including the power grid. Fusion centers, facilities funded by the DHS and manned by both state and federal emergency response officials but ultimately managed by the states, also have jurisdiction if attacks are made on infrastructure assets, he said.
Miller said the DOE initiative is a good first or second step in determining how to protect the power grid, but a critical issue that has yet to be addressed is response. “If an (infrastructure) owner is under attack, who do you call?” he asked.
The DOE plans to hold a series of workshops with the private sector representatives over the coming months to draft the maturity model. More than a dozen electric utilities and grid operators are expected to participate in the pilot project, the DOE said.The announcement follows the release of a report from the Massachusetts Institute of Technology (MIT) that suggests that the U.S. power grid could not be fully protected from cyber attacks and recommended that a single federal agency be put in charge for all cyber security.