- Following a rash of cybersecurity attacks against U.S. targets, President Joe Biden on Wednesday met with leaders from energy, technology, finance and other sectors to discuss how the federal government and private industry can secure the electric grid and other critical infrastructure.
- At the summit, the Biden administration announced plans to expand an industrial control systems security initiative that the electric sector piloted, along with efforts to better secure the technology supply chain.
- The summit highlighted the utility sector's previous work with the federal government, with the CEOs of Southern Co., Pacific Gas & Electric and Duke Energy in attendance. The White House also noted in a fact sheet released Wednesday a slew of new cybersecurity commitments from several participants in the summit, including Google, Apple, Amazon and IBM.
Private industry owns the vast majority of U.S. critical infrastructure but must partner with the federal government to defend it from increasingly sophisticated attacks, industry leaders said after Biden's summit.
"The U.S government should establish a unified and sustainable public-private framework to enhance cyber collaboration," Southern Chairman, President and CEO Tom Fanning said in a statement.
According to Fanning, the private sector owns and operates 87% of U.S. critical infrastructure, making collaboration "imperative to thwart these attacks."
The administration announced that the National Institute of Standards and Technology will work with the private sector on a new framework to improve the security and integrity of the technology supply chain.
The administration will also be expanding an industrial control system security initiative beyond its initial users in the electric sector. The industrial control systems cybersecurity initiative has already assisted more than 150 electric utilities, according to the White House, and it will now expand to natural gas pipelines. Led by the Cybersecurity and Infrastructure Security Agency and the U.S. Department of Energy, the initiative aims to protect industrial control systems through the installation of sensors and monitoring equipment.
Apple also committed to establishing a program to drive security improvements throughout the technology supply chain, while Google announced it will invest $10 billion over the next five years to expand zero-trust programs, address vulnerabilities in the software supply chain, and enhance open-source security.
Supply chain vulnerabilities have been a growing area of focus since the SolarWinds breach was discovered in 2020. About 25% of power utilities were exposed to the malware, according to the North American Electric Reliability Corp. However, no subsequent activity from hackers was detected beyond the initial breach.
Attacks intended to disrupt critical systems are rare, experts say, as threats to utilities and other critical infrastructure are often ransomware attempts by cybercriminals looking for quick financial gain. While the Colonial Pipeline attack began with ransomware targeting the IT side, the impacts ultimately led the company to proactively shut down the refined oil products distribution system.
Ransomware is rapidly becoming more sophisticated and spreading because the potential financial gain for attackers is "huge, and only growing," said Lynn Costantini, deputy director of the National Association of Regulatory Utility Commissioners' Center for Partnerships and Innovation.
Speaking at a webinar on Wednesday that NARUC and its research arm, the National Regulatory Research Institute, hosted, Costantini said ransom demands "are now in the millions when they used to be in the thousands. And attackers now, because of Colonial Pipeline, realize what it's worth to us not to have our files encrypted" by malicious parties.
Colonial Pipeline wound up paying $4.4 million in bitcoin to hackers, though some of those funds were later recovered with the help of federal law enforcement. Financial gain remains the main motivator for attacks, but experts warn that might not always be the case.
"The silver lining that's come out of all these ransomware attacks is, it's raising that level of awareness," Eric Meyers, chief information security officer at the New York Power Authority, said Wednesday at the same webinar.
"There's going to be a time when money isn't the motive for one of these types of attacks. It will be an act of war. By going through this now, we'll all be in a better position to help defend our critical infrastructure," Meyers said.