Critical Infrastructure Protection Initiatives

On April 20th, it was announced that the U.S. Government was directing the Cybersecurity and Infrastructure Security Agency (CISA), Department of Energy, and the electricity industry to conduct a 100-day sprint in which they will address critical risks to the U.S. power grid. It, “represents swift, aggressive actions to confront cyber threats from adversaries who seek to compromise critical systems that are essential to U.S. national and economic security,” according to the announcement.

To achieve this goal, the efforts undertaken in this “sprint” focus on encouraging power grid players to:

1. Implement measures or technology that enhance their detection, mitigation, and forensic capabilities.
2. Deploy technologies that enable near real-time situational awareness and response capabilities in the critical industrial control system (ICS) and operational technology (OT) networks.
3. Enhance the security posture of their IT networks.
4. Deploy technologies to increase the visibility of threats in ICS and OT systems.

Additionally, as part of the plan, the administration has reactivated an executive order put into place by the Trump administration and initially suspended when Biden first took office. That order bars electric utilities from purchasing what has been deemed high-risk electrical equipment purchases such as high-voltage transformers from foreign adversaries, particularly China.

To further manage supply chain threats that stem from adversarial nations, the DOE also announced a new request for information (RFI), “Ensuring the Continued Security of United States Critical Electric Infrastructure,” that focuses on, “preventing exploitation and attacks by foreign threats to the U.S. supply chain.” This RFI is part of a broader initiative, “America’s Supply Chains,” EO 14017, that seeks to examine and increase the resilience of supply chains across the U.S. economy.

One of the main issues facing the sprint that this group will be tackling is, how do we work with the multiple entities that make up the power grid? Some of them are local government-owned; others are owned privately. Others are actually conglomerates that are working together. All of them are interconnected into the national grid, which has some basic standards, at least for operation. They will work to encourage participation in order to first gain situational awareness and then move to recommending and implementing controls to protect these systems.

Asset owners also struggle with a lack of cyber talent available on the market to help them secure their systems which are comprised of products from many vendors. Even if vendors supply secure products and systems, it becomes a system of systems challenge for integrators, owners, and operators.