- The electric utility sector should “build in cybersecurity proactively” as a “new generation of interconnected hardware and software systems” is developed to manage the nation’s clean energy resources, the White House said in a national cybersecurity strategy released last week.
- It calls for “expanding the use of minimum cybersecurity requirements in critical sectors,” which utilities already incorporate, and shifting liability from end users to software and services developers “to promote secure development practices.”
- The changes will likely mean higher costs for the electric utility sector, according to Ethan Schmertzler, CEO of operational technology security firm Dispel. “Utilities and the communities that they serve are going to have to work together with the government to determine a funding path forward,” he said in an email.
The U.S. is making a “generational investment in new energy infrastructure,” and the White House’s new cybersecurity strategy calls for securing it through the 2022 Congressionally-directed National Cyber-Informed Engineering Strategy “rather than developing a patchwork of security controls after these connected devices are widely deployed.”
The U.S. Department of Energy unveiled the engineering security strategy last year to incorporate more cyber resilience during the manufacturing, development and deployment of computer systems used by energy providers.
The agency and its national laboratories are “leading the government’s effort to secure the clean energy grid of the future and generating security best practices that extend to other critical infrastructure sectors,” according to the White House cybersecurity strategy. “DOE will also continue to promote cybersecurity for electric distribution and distributed energy resources in partnership with industry, States, Federal regulators, Congress, and other agencies.”
Experts say the impact of the new strategy may be muted — at least initially — for electric utilities. But could ultimately lead to higher costs.
The electric power sector already meets minimum security standards through the North American Electric Reliability Corp.’s Critical Infrastructure Protection rules and “has nothing to fear from new cyber regulation as a result of the new strategy,” security consultant Tom Alrich said.
“Other critical infrastructure industries like water or petroleum refining that don’t currently have to comply with cyber regulations, might face them at some point. However, that’s likely to be years in the future,” Alrich said, given that Congressional action will be required.
“The energy sector can be expected to see increased scrutiny and revised best practices surrounding cybersecurity guidelines,” said Antoine Snow, senior public sector solution engineering manager for AvePoint, a platform that optimizes software as a service operations.
“This will be pivotal in ensuring critical energy infrastructure is protected from the increasing amount of cyber threats and further reducing risk,” he said.
“Stricter standards would be beneficial” for the electric sector, Dispel’s Schmertzler said. He advocates for security guidelines set by the National Institute of Standards and Technology to be made “more compulsory and less of a recommendation.”
The national cybersecurity strategy “clearly indicates a greater role for the government in being the front-line in cybersecurity — rather than individuals and businesses,” Schmertzler said. Though he added that with more regulation, the federal government may need to work with utilities on how increased security is funded.
Utility companies “must turn their focus toward developing a comprehensive defense and prevention strategy,” said Dana Simberkoff, AvePoint chief risk, privacy and information security officer. The White House's cybersecurity strategy “brings to light just how essential it is for utility and power companies to continue safeguarding [their systems] ... [and] makes clear it's no longer enough to have legacy and outdated response policies in place.”
The White House said it plans to work with Congress and the private sector “to develop legislation establishing liability for software products and services” that would prevent “manufacturers and software publishers with market power from fully disclaiming liability by contract, and establish higher standards of care for software in specific high-risk scenarios.”
To incentivize secure software development practices, the strategy calls for encouraging “coordinated vulnerability disclosure across all technology types and sectors,” promoting development of software bills of materials, or SBOMs, and developing “a process for identifying and mitigating the risk presented by unsupported software that is widely used or supports critical infrastructure.”
The utility sector has been working with the federal government to utilize SBOMs in procurements.
Alrich said software development processes should be secure but warned against pursuing greater developer liability as an easy fix.
“The liability for almost any cyber breach can be traced to thousands of clueless individuals in all walks of life,” he wrote Friday on his blog. “If you wanted to assign liability properly, you’d have to trace down all these individuals and spend a year or two figuring out exactly how much of the bill each of those parties is responsible for. Then, you’d have to get each of them to pay their fair share.”