The Biden Administration has committed to making cybersecurity a
top priority and is now turning its focus towards energy
infrastructure, which is widely recognized as vulnerable to
cyberattack due to grid control systems. The U.S. Department of
Energy (DOE) has launched a 100-day initiative to "advance
technologies and systems that will provide cyber visibility,
detection, and response capabilities for industrial control systems
of electric utilities."
Since the initiative was announced on April 20, 2021, Colonial
Pipeline reportedly became the victim of a ransomware attack that
forced a precautionary shutdown of the pipeline. Colonial Pipeline
supplies almost fifty percent of the East Coast's gasoline,
diesel and jet fuel. The attack was one of the most successful
cyberattacks on oil infrastructure in the U.S. to date and
highlights the vulnerability of critical U.S. infrastructure.
DOE's initiative outlines four primary areas of focus: (1)
encouraging the implementation of measures that increase
"detection, mitigation, and forensic capabilities; (2) setting
"concrete milestones" designed to "enable near real
time situational awareness and response capabilities"; (3)
supporting and increasing the "cybersecurity posture of
critical infrastructure information technology (IT) networks";
and (4) establishing a voluntary program "to deploy
technologies to increase visibility of threats in ICS and OT
systems."
In addition to the 100-day initiative, the DOE also recently
issued a Request for Information (RFI) seeking
input on supply chain security in U.S. energy systems. This follows
Trump's Executive Order 13920, which concentrated on
securing the United States bulk-power system supply chain and is
set to expire on May 1, 2021. The RFI is intended for DOE to
"evaluate new executive actions to further secure the
nation's critical infrastructure" and "strengthen the
domestic manufacturing base." The RFI also represents a key
opportunity for stakeholders to address concerns and implementation
problems that arose under EO 13920. Responses to the RFI are due by 5:00 pm on Monday, June 7,
2021.
Beyond the foregoing Executive Branch actions, Congress has also
demonstrated a renewed interest in addressing these issues. Three
bills focused on improving the electric grid's resilience to
cyberattack (H.R. 360, H.R. 359, and H.R. 362) were introduced in the last congress
but none of them became law. In the last month, new versions of all three of these
bills have been introduced. On April 30th, Bob
Latta (R-OH) and Jerry McNerney (D-CA) introduced two bills, the
"Cyber Sense Act and the Enhancing Grid Security through
Public-Private Partnerships Act" and the "Enhancing Grid
Security through Public Private Partnerships Act." Then on May
11th Bobby Rush (D-IL) and Tim Walberg (R-MI)
introduced the "Energy Emergency Leadership Act" to
consolidate responsibility for energy emergencies and cybersecurity
in the DOE. Although the last Congress's legislative efforts
were unsuccessful, the increased focus on cybersecurity coupled the
notoriety of the Colonial Pipeline attack may lead to a different
result this time around.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Gloss