- A new report from the National Commission on Grid Resilience (NCGR) calls for declassifying and giving utilities greater access to information about threats facing the United States' electric system, to better protect critical infrastructure and communicate the extent of the risk to the public and decision-makers.
- The report recommends Congress develop a new independent agency staffed by cybersecurity and defense experts, and "a profound overhaul of the communication of classified threat information to utilities."
- The call for greater information sharing with the electric industry is not new, but security experts questioned the need for a new federal agency when similar work is already being done by the Electricity Subsector Coordinating Council (ESCC) and NERC’s Electricity Information Sharing and Analysis Center (E-ISAC).
There is some risk in declassifying threat information, experts concede, as it may tip off foreign adversaries to the electric sector's defense capabilities and the United States' information gathering processes. However, as attempts to disrupt the power grid become more sophisticated, NCGR's analysis views this as a necessary tradeoff to better inform the industry of the growing threat.
"This is a national security threat, but it's not widely recognized by the American people. And even the people who should be charged with protecting us from it, often don't get the information they need," retired General Wesley Clark said Thursday at a public virtual event unveiling the commission's recommendations.
Clark is an NCGR commissioner, along with former Republican Rep. Darrell Issa from California; Kevin Knobloch, a former DOE chief of staff who is now president of Anbaric offshore wind development entity New York OceanGrid LLC; Gueta Maria Mezzetti, a former member of the Pentagon’s Energy Security Executive Council; and several others. The group is chartered and supported by Woodstar Labs, a non-profit technology and analysis firm owned by Associated Universities Inc.
The report includes nine recommendations and calls for federal lawmakers to direct the Department of Energy (DOE), Department of Homeland Security (DHS) and the Director of National Intelligence to "establish a central clearinghouse and decisional node for communicating full and accurate threat information to bulk power system operators and electric utilities."
Congress should establish a National Resilient Grid Authority to help test for and protect against electric system vulnerabilities, according to the report. The new agency would be independent and staffed by rotating appointments of security experts from both the private and public sector, the group said.
Clark said the government needs to build on the current Cybersecurity Risk Information Sharing Program (CRISP), which is a collaboration between the E-ISAC, DOE and the Pacific Northwest National Laboratory.
CRISP disseminates threat information, Clark said, "but it's not fast enough, and it's not detailed enough to take responsive action."
DOE did not respond to requests for comment on CRISP's capabilities.
NERC, in an emailed statement, said that timely and actionable information sharing "are essential to grid security," and said it works with E-ISAC to"operate a full suite of products and services designed to provide threat intelligence and coordination to North American utilities on a range of cyber and physical security threats."
Along with CRISP, those tools include NERC alerts, All Points Bulletins and Critical Broadcast Program calls. NERC and E-ISAC communications with utilities "focus on sharing security threats and mitigations in near-real time," a spokesman said in an email.
But according to Clark, DOE, DHS and and industry entities "need expanded powers" to "name and shame" hostile actions and attack attempts, with an emphasis on the frequency of intrusions.
"I know this risks indicating how much we know about adversaries, but it's a risk we have to take as a nation because we've got to get the American people and our private sector institutions to understand what we're up against," Clark said.
Security experts agree the need for threat information sharing is essential, but questioned the efficacy of a new federal agency and warned there can be danger in providing the industry with too much data.
Any communication overhaul should leverage existing self-governance mechanisms within the industry, including ESCC and E-ISAC, said Shawn Wallace, vice president of energy at IronNet Cybersecurity. That approach is endorsed by the NCGR recommendations, but Wallace balked at creation of a new federal agency.
"We do not need a new group or federal agency to step into this function when the E-ISAC is already performing this role in the sector," he said in an email. He agreed with calls for real-time information sharing networks and action tools that "reach directly into system control rooms."
"In order to meet the future threats, information sharing needs to be automated and real time," Wallace said. "Utilities don't need more information, they need better resolution on the information that's already out there. ...If they're taking in too much information it can become diluting and they'll struggle to get value from it."
The call to more quickly disseminate threat information to the utility sector is not new. Last year, NERC President and CEO Jim Robb called for the federal government to accelerate the declassification of industry-relevant information regarding cybersecurity threats and consider broadening the availability of security clearances for the energy sector.
Other NCGR security recommendations include development of a nationwide network of resilience-focused microgrid test beds, changes to both on- and offshore transmission planning and a strategic reserve of grid transformers and other critical infrastructure.