- The White House this week issued a policy directive laying out ways the federal government will coordinate with industry and the public and private sectors in the event of a significant cyber attack, including potential threats to the nation's electric grid, SNL Energy reports.
- Some industry experts, however, say the plan is too focused on the government side of a cyber response, and overlooks the fact that most energy infrastructure in the United States is owned by private parties.
- A potential cyberattack on the United States electric grid is a growing concern, following an attack that led to a widespread Ukraine blackout last year and a growing acknowledgement that the nation may be unprepared to fend off sophisticated attacks.
The White House's policy directive acknowledges the growing threat of cyberattacks and the need to coordinate on a response, but some in the electric industry say the plan may overlook details which make the grid uniquely difficult to defend.
"While the vast majority of cyber incidents can be handled through existing policies, certain cyber incidents that have significant impacts on an entity, our national security, or the broader economy require a unique approach to response efforts," the White House said.
According to the plan, in the event of a significant attack federal agencies will take on three specific approaches: threat response, asset response, and intelligence support. And when a federal agency is an affected, a fourth line of defense directs the agency to manage the impacts on its operations, customers, and workforce.
Threat response focuses on law enforcement and national security responses. Asset responses include furnishing technical assistance, identifying other entities that may be at risk, assessing potential cascading effects, and facilitating information sharing and operational coordination.
"When a cyber incident affects a private entity, the Federal Government typically will not play a role in this line of effort, but it will remain cognizant of the affected entity’s response activities, consistent with the principles above and in coordination with the affected entity," the White House said.
But while there is growing acknowledgement of the need to buttress cyber defenses, some say the White House's new directive does not go far enough.
"This directive is very focused on the federal government response, but falls short in recognizing that most critical infrastructure is owned and operated by the private sector," Navigant security consultant Brian Harrell told SNL Energy. "It is laudable to have your federal response 'ducks in a row,' but any plan should also recognize private sector efforts and the assistance required during a catastrophic attack."
Earlier this month, federal regulators directed the North American Electric Reliability Corp. (NERC) to develop an improved cybersecurity protocol to protect the nation's electric grid, calling for a supply chain risk management standard that protects both information systems and related bulk electric system assets. And the Federal Energy Regulatory Commission (FERC) is also considering changes to its Critical Infrastructure Protection standards regarding the protection of control centers that are used to monitor and control the bulk electric system in real-time.
Last year, NERC helped stage a simulated attack on the North American electric grid, and while a followup report showed progress has been made on hardening grid assets, it also revealed that improvements were needed, particularly in upgrading the Electricity Information Sharing and Analysis Center portal and enhancing coordination with law enforcement.