President Trump recently issued an Executive Order to bar the purchase of certain critical electrical grid components from foreign adversaries. This order—like a similar telecommunications order released last year—reflects an acknowledgment by the federal government of a longstanding cyber threat to the electric grid posed by compromised equipment.
As with other threats to our critical industries such as the financial and defense sectors, it’s not a problem the government can solve on its own. However, the executive order convenes a task force made up of no less than seven separate government agencies with the Department of Energy in the lead. Industry, through the Electricity Subsector Coordinating Council (ESCC), only has a consulting role and this should get expanded.
We’ve long known about the threat posed to our electric power sector and other critical industries by foreign cyber actors, particularly nation-states with advanced capabilities such as Russia and China, as well as those with increasing capabilities like Iran and North Korea. And to address these threats, the electric power industry has taken steps to work with one another and the government through a variety of public and private sector-led efforts, including the Electricity ISAC and the Electric Sector Coordinating Council (ESCC), composed of large utilities, municipalities, cooperatives and leading industry groups.
Cyber Industry Delivers Cutting-Edge Automation
Industry can offer a very important role in solving the cyber threat to the electric grid. Private sector companies own and operate our critical infrastructure and they know where the risks are. These companies are on the front line of resilience and have the closest viewpoint into the prevailing vulnerabilities and threats.
While the energy sector has become a model for how industries should work together, we need to transition from human-based collaboration to automated, machine-based. Only by leveraging technology developed by private companies can we match the speed and scale that nation-state adversaries operate. An automated system that gives energy companies early warning of coordinated cyberattacks that may have never been seen previously will also become an important factor to our success.
With such tools, energy companies can actually see what’s hitting their sector in real-time and together with SOCs, can analyze the information for everyone’s benefit. The industry can then share this information with the federal government, giving them a real-time view into the attacks hitting critical infrastructure. If our adversaries are leveraging technology to make coordinated attacks on the sector, it stands to reason that we need to use technology to defend together.
While collaboration opportunities around threat-sharing within groups such as the Cyber Threat Alliance are valuable, we should go beyond that to address the potential risk in the supply chain. It will take years to work through the replacement schedule for the legacy equipment that makes up the electric grid; as risks are identified, private sector cybersecurity companies can innovate and deploy a solution to mitigate them.
The electricity sector should convene a team of energy companies, trade organizations, major equipment suppliers and the leading cybersecurity companies to take this on. The group would focus on how to leverage technology to mitigate risk with the scope of solutions being widely deployable and cost-effective. The group would make reports public in a limited manner so that energy companies can leverage the full private-sector cybersecurity market to support competition and rapid development without disclosing sensitive information.
Collaboration Keeps The Lights On
The critical knowledge-sharing and action in this process will take place with the help of the government, energy companies, supply chain and cybersecurity providers. The federal government will gain a view into energy sector vulnerabilities and threats, and can also offer valuable information into the collaboration. As gaps, risks or future needs are identified the group can address them and then have these new ideas readily implemented in the private sector and vendor community.
For at least the foreseeable future—until (and unless) the United States truly recommits itself to building the industrial base for critical infrastructure at home—the nation will remain reliant on certain foreign providers. And while we could (and likely should) seek to buy as much of our equipment as possible from our allies, buying electrical components solely from our traditional allies may also present technical, logistical and economic challenges.
Forging the Public-Private Partnership
So how can the government and industry work together to best protect our infrastructure, not just in the electric power sector, but across all the important critical infrastructure industries? The recent recommendations of the Cyberspace Solarium Commission advocate for a close partnership between industry and the government, with industry offering its expertise and guidance directly to the government policy makers seeking to address this threat.
The new executive order includes important elements that could permit this approach to succeed, and moving forward, it’s important that the knowledge and technologies under development in the private sector are leveraged. By working collectively, government and industry can protect the nation’s critical infrastructure against serious foreign threats in a smart manner and on behalf of the American people.
Shawn Wallace, vice president, Energy, IronNet Cybersecurity