The bipartisan infrastructure bill heading to President Joe Biden's desk includes billions to help secure the nation's power grid from a growing range of threats, and specifically has $1 billion earmarked to help state, local and tribal governments protect sensitive systems from hackers.

The legislation also includes $100 million for a Cyber Response and Recovery Fund to support "federal and non-federal entities" impacted by a significant hacking incident, according to Sen. Gary Peters, D-Mich., the chairman of the Homeland Security and Governmental Affairs Committee. It would also grant new authority to the Department of Homeland Security (DHS) in the event of a significant cyber attack or imminent threat.

"Extreme partnerships" between the federal government and private sector will be necessary to protect an increasingly decentralized grid, U.S. Department of Energy (DOE) Deputy Secretary David Turk said Wednesday at a cybersecurity event hosted by the Solar Energy Industries Association (SEIA).

A whole of government approach

Securing the nation's electric grid will require a whole-of-government approach alongside deep partnerships with utilities and the energy supply chain, Turk said. Funding included in the bipartisan bill can help develop and maintain that, he added.

The House voted 228-206 on Friday to approve a $1.2 trillion infrastructure bill that includes a wide range of investments in the power grid. Turk spoke two days ahead of the vote, and the programs he discussed were included in the final bill.

According to the White House, the infrastructure bill includes $50 billion to secure infrastructure from climate change and cyberattacks.

That is "a huge amount of funding to allow us to build the kinds of grids, the resilient grids, the cyber secure grids, that we need in our country," Turk said. 

He pointed to the need to build "actionable partnerships" similar to DOE's security accelerator, which aims to develop zero-trust cyber solutions for clean energy systems. The accelerator will utilize the National Renewable Energy Lab's Advanced Research on Integrated Energy Systems platform to simulate how hackers might attack, with Berkshire Hathaway Energy and Xcel Energy providing input from industry.

"The other thing that's important, especially on the cybersecurity side, we need to share information ... in a way that we've not really done, from the public side and the private side," said Turk.

"Easier said than done," he added. "We need to make sure we have systems to declassify information in ways that are useful and relevant for the private sector actors out there so that they can take [the] protections that they need. And we need the private sector to be forthcoming with us so that we have that information."

"I'm worried that we're not going to collaborate as deeply and as quickly as we need to, in order for us to be successful," he said.

Assisting state, local and tribal governments

Provisions in the infrastructure bill provide funding to help local, state and tribal governments deter attacks. There is also $21 million in funding for the newly created office of the National Cyber Director, said Sen. Peters.

"Recent cyber-attacks have hit everything from government offices to critical infrastructure companies," Peters said in a statement. The infrastructure bill will "strengthen cybersecurity in local communities across the nation, safeguard Americans' personal information, and provide our national security agencies with more resources to deter attacks and help public and private entities, such as critical infrastructure companies, recover from them."

Peters also said he helped secure provisions to "create an authority for the Secretary of Homeland Security, in consultation with the [National Cyber Director], to declare a Significant Incident in the event of an ongoing or imminent attack that would impact national security, economic security, or government operations."

With that declaration, the U.S. Cybersecurity and Infrastructure Security Agency could "coordinate federal and non-federal response efforts," said Peters, and allow the secretary of DHS access to the Cyber Response and Recovery Fund.

The bill's funding for power and water system resiliency is encouraging, said Mark Carrigan, senior vice president of process safety and OT cybersecurity at Hexagon PPM. 

"Implemented properly, this program could make a considerable difference by making our critical infrastructure more resilient to events that are inevitable - hurricanes, droughts, floods, and cyber-attacks," Carrigan said in a statement. He also warned that the funding must be spent carefully.

If the program of investments is implemented improperly, "taxpayers could end up spending a lot of money but still find themselves without power for a long time after an employee accidentally opens the wrong email that grants access to the wrong people," he said.

More funding possible

More funding to help secure critical infrastructure is also included in the reconciliation package still being debated by lawmakers, said Turk. It includes $110 billion "all focused on clean energy manufacturing, and bolstering our domestic production of clean energy," he said.

So far, the U.S. electric sector has been relatively successfully in maintaining grid reliability in the face of daily attacks, said Kate Marks, acting deputy assistant secretary of infrastructure security and energy restoration in DOE's Office of Cybersecurity, Energy Security and Emergency Response.

"But as the sector evolves ... we know that it's become an increasingly attractive target to our cyber adversaries," said Marks, also speaking at the SEIA event. The growth of distributed renewables presents specific challenges as well.

"With an increasingly geographically dispersed energy system with increasingly interconnected systems ... we really see a multi-threat environment with the potential for additional cascading impacts during a disruption," Marks said. "That really complicates the security landscape that we're dealing with."

A new public-private security partnership headed by the U.S. Department of Energy aims to accelerate development of zero-trust cyber solutions for clean energy systems, with Berkshire Hathaway Energy and Xcel Energy providing strategic direction from the industry side.

The accelerator will utilize the National Renewable Energy Lab's Advanced Research on Integrated Energy Systems (ARIES) platform to simulate how hackers might attack complex energy systems. 

The security accelerator will test new technologies to "make clean energy systems cyber secure from a project's inception," U.S. Deputy Secretary of Energy David Turk said at a Wednesday roundtable.

'More frequent, sophisticated and dangerous'

Cyberattacks are getting "much more frequent, sophisticated and dangerous," Turk said, and defending critical infrastructure like the U.S. power grid will require the efforts of both government and industry.

"We're not going to be successful on cybersecurity unless it's a public-private partnership," Turk said. "Both the government and private sector are bringing unique assets to this partnership to make this work."

The accelerator will use ARIES to test cybersecurity technologies "in a realistic simulation of the grid," said Turk. The platform simulates system-level security evaluations for bulk power renewables and distributed energy resources.

DOE's Office of Energy Efficiency and Renewable Energy has invested nearly $40 million in the ARIES platform over the last couple of years, according to DOE Acting Assistant Secretary Kelly Speakes-Backman. The National Renewable Energy Lab's facility is helping prepare the grid for the addition of electric vehicles, renewable energy generation systems, energy storage, and grid-interactive, efficient building devices, she said.

"It's a pretty substantial scale-up of experimentation that we have done over the years, being able to directly connect up to 20 MW of equipment on site," Speakes-Backman said.

DOE has made other cybersecurity investments the accelerator can leverage, though the ARIES platform is "a great starting point," said Speakes-Backman. The agency will also invest $70 million over the next five years in the Cybersecurity Manufacturing Innovation Institute, to develop a cyber-focused federal institute to help the U.S. achieve efficiency improvements while also bolstering domestic manufacturing.

Securing clean energy infrastructure

Those federal investments are important to securely building out clean energy infrastructure, according to Michael Ball, Berkshire Hathaway Energy's chief information security officer.

The new security accelerator will allow Berkshire Hathaway to test energy solutions "in an environment that mimics what we ... have to operate in every day," said Ball.

The goal is to "build inherent security and resiliency into the systems," Ball said. "We appreciate the opportunities to partner with government to harness some of the investments that ... are giving us a platform by which we can achieve those very things."

The accelerator allows for "huge economies of scale" as utilities tackle security challenges inherent in a changing grid, said Xcel Energy Chief Security and Privacy Officer James Sample. "This is bigger than any one utility. And as we all know, we're interconnected, we have to work together."

Zero-trust security essentially means devices do not trust one another by default, and Sample said there are fundamental issues that come with integrating legacy devices into a modern, distributed grid utilizing a zero-trust approach. Existing devices "really aren't built to be zero-trust," he said. "They're built to trust each other. That's what the control systems do."

This means you can't retrofit existing infrastructure to be zero-trust, said Sample. "We've got to fundamentally redesign the way that the assets work."

Sponsored content

By Dragos

By: Jason Christopher, Dragos Principal Cyber Risk Advisor

The electric utility industry is a valuable target for adversaries seeking to exploit industrial control systems (ICS) and operations technology (OT) for a variety of purposes. A power disruption event from a cyberattack can occur from multiple components of an electric system including disruptions of the operational systems used for situational awareness and energy trading, targeting enterprise environments to achieve an enabling attack through interconnected and interdependent IT systems, or through a direct compromise of cyber digital assets used within OT environments. Attacks on electric systems – like attacks on other critical infrastructure sectors – can further an adversary’s criminal, political, economic, or geopolitical goals. As adversaries and their sponsors invest more effort and money into obtaining effects-focused capabilities, the risk of a disruptive or destructive attack on the electric sector significantly increases.

The number of publicly known attacks impacting ICS environments around the world continues to increase, and correspondingly the potential risk due to a disruptive cyber event impacting the North American electric sector is currently assessed as high. This report highlights multiple threats and adversaries focusing on critical infrastructure and their capabilities. Dragos anticipates the threat landscape associated with the sector will remain high as the detected intrusions continue to rise.

Of the activity groups that Dragos is actively tracking, nearly two-thirds of the groups performing ICS specific targeting and disruption activities are focused on the North American electric sector. Additionally, existing threats to ICS are expanding and establishing new interest in electric utility operations in North America. For example, the Dragos tracked activity group XENOTIME – the most dangerous and capable activity group – initially focused its targeting efforts on oil and gas operations before expanding to include North American electric utilities. Dragos also identified the MAGNALLIUM activity group expanding targeting to include electric utilities in the US. This activity group expansion and shift to the electric sector coincided with increasing political and military tensions in Gulf Coast Countries (GCC).

Dragos research of the CRASHOVERRIDE attack indicates ELECTRUM targeted recovery operations. Such activity, if successful, could prolong outages following a cyberattack and cause physical damage to equipment or harm to operators. These findings suggest the group had greater ambitions than what it achieved during its 2016 attack, and represent worrying possibilities for safety and protection-focused attacks in the future.

Historically, adversaries have demonstrated the capabilities to significantly disrupt electric operations in largescale cyber events through specialized malware and deep knowledge of targets’ operations environments. Although North America has not experienced similar attacks, ICS-targeting adversaries exhibit the interest and ability to target such networks with activities that could facilitate such attacks.

The electric sector, as a whole, has been working for over a decade to address cyber threats through board level decisions, 1 preparedness exercises like GridEx, the NERC CIP standards, and direct investment in ICS specific security technologies. However, adversaries will continue to evolve and the industry must be ready to adapt

Vulnerable software and data supply chains expose the U.S. power grid to attack, and the U.S. Department of Energy wants to address the issue by reimagining the sector as similar to the defense industrial base, officials said Wednesday at a meeting of the DOE's Electricity Advisory Committee. 

Policies to address digital supply chain vulnerabilities are being developed and will be included in a report to the White House next year, said Cheri Caddy, senior advisor for cybersecurity in DOE's Office of Cybersecurity, Energy Security and Emergency Response (CESER).

Chief among those policies, Caddy said, would be development of an Energy Sector Industrial Base similar to how the U.S. Department of Defense coordinates with a broad range of industries. The energy sector base would be a collaboration among DOE, the rest of government and the global private sector, capable of developing and maintaining the systems required to meet the United States' energy needs.

Casting a wide net

The energy sector is much larger than just energy companies, so securing its supply chains means casting a wide net, said Caddy. For energy, that could include critical manufacturing and software developers, water and communications companies, along with more traditional players.

"All of those are really part of the energy sector industrial base that we want to bring in, to put a rope around in a policy way, when we're thinking about certain types of policy or mission areas that apply broadly," Caddy said.

The goal, said Caddy, is to ensure stakeholders are broadly defined on projects or initiatives that require inclusiveness — similar to how DOD has approached defense for decades. And, she added, those stakeholders will evolve with the grid.

"As we introduce and accelerate more clean energy distributed resources, we're looking at adding additional stakeholders into the energy sector industrial base," Caddy said. 

Guarding physical and digital assets

Securing that supply chain will help guard both physical and digital assets, she said, as software and data increasingly represent potential vulnerabilities. The acquisition of companies by foreign businesses exposes data and energy modeling to possible manipulation, Caddy said, and the code used in modern software is difficult to track.

The opaque development of software is an issue the federal government is already working to tackle. President Joe Biden issued an executive order in May to require the use of software bill of materials in government procurements, to allow for more efficient tracking of known vulnerabilities. And the utility sector has been collaborating with the U.S. Department of Commerce's National Technology and Information Administration on the tracking program.

"We're all concerned about reliance on foreign suppliers," particularly because software development can occur in adversary nations, Caddy said.

"That's exposing potentially our digital supply chain to risk from foreign interference," Caddy said. "We really can't tell a lot about where code is developed. It's assembled from all over the world. Software developers, of course, reuse code libraries, so we don't know where it comes from. ... So it is definitely a potential supply chain vulnerability."

Specific policies to address digital supply chain vulnerabilities will be included in CESER's report to the White House in February 2022.

"We're looking at the full range of policy solutions, and the White House has encouraged us to really think outside of the box," Caddy said. The report will consider possible executive actions, legislation, tax incentives and tariff policy, she said.

Federal officials are beginning work with the private sector to prepare for the historic provision passed last week that requires critical infrastructure providers to notify the Cybersecurity and Infrastructure Security Agency of malicious cyber intrusions. 

Critical providers including utilities, banks, energy providers and other sectors will have to alert CISA within 72 hours of a major cyberattack or 24 hours of a ransom payment under new federal regulations. The requirements are part of a long-sought partnership that shields companies from liability and allows for rapid intelligence sharing.

The legislation gives CISA the authority to subpoena companies that fail to adhere to the reporting requirements and refer them to the Department of Justice if they fail to provide the requested information.

The Edison Electric Institute, which represents investor-owned utilities, said it will work with CISA and "other government partners" to integrate new requirements into rules that already exist for the electric power sector. Some reporting requirements already exist for utilities, through Critical Infrastructure Protection (CIP) rules overseen by the North American Electric Reliability Corp.

The industry will work to "harmonize new and existing reporting requirements," EEI Senior Vice President, Security and Preparedness, Scott Aaronson said in a statement.

The goal of the legislation is to provide legal cover for companies to share threat intelligence with law enforcement and government agencies. The SolarWinds attack showed how federal authorities had little to no insight into the nation's IT infrastructure.

The private sector has only informed government agencies of about 30% of cyberattacks they have encountered, said Sen. Mark Warner, D-Va., chairman of the Senate Intelligence Committee, during a hearing last week on worldwide threats.  That means the government has no intelligence on about 70% of the cyber threats facing the U.S. 

Executives in the C-suite and shareholders often keep data breaches and cyberattacks on a need-to-know basis, fearing the embarrassment of public disclosure and concerned that information sharing would open them to investor suits, law enforcement probes and irreversible damage to brand reputation.

"Many companies have historically wanted to maintain plausible deniability because the disclosure of cyber intrusions has a material impact and is a source of significant reputational risk," Tom Kellermann, head of cybersecurity strategy at VMware, said via email. "For too long, the curtain of plausible deniability has been undermining cybersecurity investment."

The new legislation will help close visibility gaps for investigators and security responders, said Robert Sheldon, director of public policy and strategy at CrowdStrike, one of the nation's top cybersecurity and incident response firms. CISA and other relevant government agencies need timely access to threat information and ransomware, he said.

"Cyberattacks targeting critical infrastructure have grown increasingly severe and impactful over the past couple of years," Sheldon said. 

The law closes some visibility gaps for both investigators and responders, Sheldon said, which can help strengthen the overall security posture of critical infrastructure providers. 

However, providers still need to push to incorporate best practices for the purpose of proactive defense, including the use of endpoint detection and response, zero trust and sound log protection practices. 

Top vendors weigh in

In the months following the December 2020 discovery of the SolarWinds attack, Microsoft was a major proponent of greater information sharing between industry and the federal government. 

Microsoft, a target of the SolarWinds threat actor, which it dubbed Nobelium, publicly called out numerous other firms in the information technology space that were known to have been impacted by the same threat actor, either through the SolarWinds vector or direct impact, but failed to publicly share detailed threat information. 

"Amid increased threats from nation-state adversaries and cyber criminals, it's great to see Congress pass bipartisan incident reporting legislation — a strong step to shore up our nation's cyber defenses in critical infrastructure and strengthen the cyber ecosystem," Tom Burt, corporate vice president, customer security and trust at Microsoft said in a tweet after the Senate passed the incident reporting provision.

SolarWinds, which was originally notified of the attack by FireEye Mandiant researchers, said it readily shared threat information with federal authorities after the attack. 

Companies need to be open and transparent about disclosing sensitive data in order to prevent malicious attacks from spreading to other companies in the future, the company said.

"SolarWinds voluntarily notified the U.S. government when we learned of the Sunburst incident, which targeted SolarWinds and other companies, and we offered complete and total cooperation," Chip Daniels, head of government affairs at SolarWinds, said in an emailed statement. "The nature of today's cyberthreat landscape means the defense roles of the public sector and private companies are more interconnected now than ever - cybersecurity is everybody's responsibility."

SolarWinds fully supports the new regulations, Daniels said, and described the approach by CISA Director Jen Easterly and her team as spot-on. 

The practical import of this legislation will require a better understanding of the interim rules from CISA, however Daniels added that SolarWinds is looking forward to more details on how the process will play out. 

What it gives authorities

Beyond sharing cyberthreat information, the new regulations are designed to give federal authorities more insight and actionable intelligence on ransomware and extortion crimes in real time. 

While companies have been reluctant to share information on data breaches and simple supply chain attacks, they've been even more secretive about ransomware attacks. The hesitation is, in part, because they face the possibility threat actors posting sensitive company data or compromising information on the Dark Web or selling it to secondary threat actors.

Colonial Pipeline executives quietly shared information about $4.4 million in payments made to the threat actors, following an attack that caused a six-day shutdown of its massive fuel pipeline. The FBI was able to recover about $2.3 million through a court-ordered operation to claw back part of the bitcoin payments Colonial provided during the attack. 

"When Colonial's systems were threatened by a bad actor, notifying the authorities was a logical step," the company told Cybersecurity Dive. The FBI — and CISA via the FBI — were contacted by midday. 

The federal government can play an important role in providing guidance and sharing best practices for responding to an attack of this type, the company said, including sharing lessons learned from prior incidents. 

Colonial officials emphasized the importance for companies to have clear directions of who they should be working with in the government. A concern in the past has been company leaders did not know which agency was responsible for handling incidents. 

"For companies defending against these evolving threats or responding to an attack, having clear knowledge of who in government they should be coordinating with is important," the company said.

When a supply chain attack occurs, companies have to weed through their software to find the bug before bad actors do. But a movement in the security space is trying to make that search easier. 

President Biden's May cybersecurity executive order established improvements to software supply chain — it's the government's way of leading by example. Among its recommended enhancements was a requirement for a software bill of materials (SBOMs) for software vendors contracting with the federal government. SBOMs are a written record of the "ingredients" comprising a software product — open source and proprietary code — provided to anyone building software, buying software, and operating software. 

The Edison Electric Institute, which represents investor-owned utilities, and the North American Transmission Forum, which serves as a forum for power transmission entities, have been working with the federal government to pilot the use of SBOMs in the energy sector. In collaboration with the U.S. Department of Commerce and the Department of Energy's Idaho National Laboratory, they launched a proof of concept program this year to utilize SBOMs.

SBOMs are theoretically a reasonable security measure, allowing everyone in the supply chain to refer to their ingredients if a vulnerability or update emerges. Yet, like any cybersecurity tool, it's never as easy as one solution. 

For critical infrastructure owners and operators, like utilities, cybersecurity has become a pressing issue as ransomware attacks have increased and the threat to operational technology grows. The North American Electric Reliability Corp. is gearing up for its its biennial security exercise in November, and officials say the mock attack includes a software compromise.

Keeping track of what software is made of is "really not that difficult," but the issue SBOMs don't and can't address is software development within legacy systems, said Johannes Ullrich, dean of research at the SANS Institute. "It'll never happen for that code … I don't think it's realistic to expect that a 10- to 20-year-old code will ever have a reasonable SBOM." 

But the future is more promising for SBOMs, with tools to automate the software audit and standards promoted by the National Institute of Standards and Technology (NIST) through Software Identification (SWID) Tagging, The Linux Foundation's Software Package Data Exchange, and an industry-championed effort through CycloneDX, according to Matt Howard, EVP and CMO at Sonatype. 

The National Telecommunications and Information Administration (NTIA) has published standards, or "minimum elements," required within 60 days of the executive order. But Ullrich anticipates more concrete standards from NIST or the Cybersecurity and Infrastructure Security Agency (CISA) eventually as the executive order gave NIST 45 days to define "critical software." 

"That definition shall reflect the level of privilege or access required to function, integration and dependencies with other software, direct access to networking and computing resources, performance of a function critical to trust, and potential for harm if compromised," the executive order said. 

If SBOM principles extend to all software, beyond what NIST says is critical, companies could be better equipped to spot bugs that impact a supply chain. SBOMs should give security executives some peace of mind by answering these questions in light of a new vulnerability, whether it's in software they built in-house or purchased: 

• Do we know whether our production software applications are using a particular version of code that is now vulnerable? 
• Where is it?  
• How quickly can we patch it? 

"Without an SBOM, the timeline for fixing those vulnerabilities can stretch into months or years because security teams have to wait for notification from each supplier," said Sounil Yu, CISO of JupiterOne. But "legacy software without an SBOM is like a can of food from the 1920s without an ingredient label. Consume at your own risk." 

Nothing new

While there is a lot of promise in the ability of SBOMs to formalize the artifacts within software builds and launching applications into production, it does not make SBOMs a silver bullet. 

That "doesn't mean it's not a good idea," said Howard. "When there's transparency in any situation, I think there's just generally speaking goodness."

Sometimes developers can go rogue, and skirt approved dependencies. Developers can copy and paste code, effectively bypassing source code management. These are both examples of what SBOMs are meant to prevent from happening. 

SBOMs create ownership and accountability for software makers because they force suppliers "to be honest with themselves," Ullrich said. Software makers might want to protect the components they use, though disclosing detailed proprietary code is not required in SBOMs. 

According to the NTIA, SBOMs typically include: 

• Author
• Supplier
• Component name
• Version string
• Component hash
• Unique identifier
• Licensing

Keeping an ingredients list of software is something companies have done internally for years. It's just now that the term "SBOM" has received some recent attention. In the open source community, users are expected to declare certain script dependencies to build software, the difference now is that SBOMs expect more rigor or the security implications it has, according to Ullrich. 

SBOMs are the cybersecurity and software space reaching accountability levels other industries hit decades ago. Historically, "there's no such thing as software liability in the industry," said Howard. There are already third-party vendors and engineering teams that practice SBOM principles, but the executive order will not make the entire industry shift to SBOMs. 

If a major software vendor has been successful at selling its product, its intellectual property without liability attached, "it's not a bad place to be," Howard said. "Before there was a concept of product liability for the automobile manufacturers, there was no concept of product liability." 

Consider the Apache Struts bug that led to the Equifax breach, Howard said. "Instead of a bad airbag, it's an Apache Struts defect, right?" 

Challenges to expect

SBOMs will be costly and they will take resources to scale. Software makers know that regularly numerating their dependencies increases maintenance costs, adds more responsibility to "shifting left," and integrates SBOM standards into the development pipeline. If customers are not demanding SBOMs in their contracts, companies may not voluntarily change their transparency efforts, and maintain SBOMs internally. 

Even if a software vendor does not share an SBOM with a CISO, its ability to easily produce one "gives me a higher level of confidence that their software development practices are modern or mature enough" to offset vulnerabilities in poorly maintained software, Yu said. 

Software vendors can expect to see customers demanding SBOMs in their contracts. It will likely start with large contracts until it becomes a norm across all customers. However, even if every software maker provided SBOMs to every customer, there is still a large portion of the economy "that simply wouldn’t know how to use this information," said John Bambenek, principal threat hunter at Netenrich. 

"Many companies struggle to implement best practices we already have. It’s naïve that a new best practice will be implemented universally," he said. 

But the SBOM inclusion in the executive order was intentionally meant for government and private industry, though the two sectors see SBOMs in different ways. Government wants SBOMs because they might reduce risk to national security, whereas private industry might see SBOMs as a cost issue. 

"If you want to get malicious software into a government agency for use in espionage, a supply chain attack is your best way," Bambenek said. 

SBOMs are only one piece of good cyber hygiene — it's another step toward improved security posture across industries, and the public and private sectors. But with code, there is so much of it constantly in production and shared in codebases, keeping track of every piece will be challenging. 

"Knowing what software components lie within an application via SBOM is helpful, but this is an extremely low leverage tool," said Mohit Tiwari, co-founder and CEO of Symmetry Systems and associate professor at the University of Texas at Austin. 

Legacy code will always be an issue, even if modern software all comes with SBOMs.  "Consider that the most high assurance software in the world costs about $10,000 per line of code and software like the SeL4 operating system is only 10,000 lines of code and needs over 200,000 lines of verification code," he said. 

DOE Secretary Jennifer Granholm in June told CNN that enemies of the United States have the capability to shut down the U.S. power grid, and "there are very malign actors trying, even as we speak."

Granholm was discussing President Joe Biden's push to better secure the utility sector, which faces a growing threat from ransomware and attacks on operational technology. There are mandatory security requirements and high levels of redundancy built into the U.S. bulk power system, but when asked if a sophisticated hacker has the capability to crash the grid she replied soberly, "Yeah, they do."

That may bring to mind worst-case doomsday scenarios, but security experts say there is little imminent risk that hackers will cause a widespread blackout, despite a near-constant barrage of attacks on utilities and grid assets.

"I don't think the threat to reliability is imminent" even as more operational technology (OT) is internet accessible, said Lila Kee, general manager for GlobalSign's North and South American operations. "Attackers are getting smarter and as we move OT online the threat surface will be wider, but what these hackers are doing is espionage. They're going after data, they're going after [intellectual property]."

"If they wanted to go after the OT networks, from a sabotage standpoint, that's an act of war," Kee said. "And I don't think even some of the biggest state actors are going to poke that bear."

There are a variety of hackers and groups, "and their goals are similarly varied," Kevin Perry, formerly the director of critical infrastructure protection at Southwest Power Pool, said in an email. Perry retired in 2018.

"Most cyber attacks today are financially motivated," Perry said, with hackers attempting to steal credentials, company or customer financial information, or intellectual property. "Basically, information that can be used for financial gain."

But "there are attackers whose aim is to disrupt the business, either with ransomware or by attacking and manipulating the business-critical systems," Perry added.

An act of war 

Crashing the grid would require a sophisticated attack and knowledge of electricity systems. Like Kee, Perry also sees little appetite for the most dramatic attacks.

"OT systems are very complex and the attacker will need a certain level of knowledge and sophistication. That [would] most likely be a nation-state backed hacking group," he said. "An activity of a nation-state actor that intentionally causes a blackout will likely be viewed as an act of war and will likely result in a kinetic or electronic response, or both, once the actor has been positively identified."

Right now, hacking groups in Russia, China, Iran and North Korea, are all known to have high levels of sophistication. The electric industry, however, says it is prepared for a future where more hackers have those capabilities.

"Sophistication can ultimately be bought," Edison Electric Institute (EEI) Vice President for Security and Preparedness Scott Aaronson said. EEI represents investor-owned utilities, which provide electricity for about 220 million people in the U.S.

Taking down the grid would require a very complex attack but "we are preparing for that possibility today," Aaronson said.

Less sophisticated attacks are frequent, say experts, and often have little or no impact on operations.

"We've responded to intrusions at generation plants and within control centers," said Ben Miller, vice president of professional services and research and development for Dragos, a security firm focused on operational technology (OT) environments. "But did those cause a blackout or outage? No."

The attacks were opportunistic and in many cases hackers may not have even known what OT environment they were in, Miller said.

"Gaining access into a grid facility is certainly in the realm of possible, even accidentally," Miller said. But between gaining access and having a particular impact "is a lot more sophistication than ransomware or a malicious piece of malware, and it does rise into that state-aligned category."

And the U.S. grid is designed with such redundancy in mind, that even if a hacker were able to take down the largest generating asset on the grid — the 6.8 GW Grand Coulee Dam in Washington — it would not cause a blackout, said security consultant Tom Alrich.

"Plants being down should never be the cause of an outage," Alrich said. "That's the whole idea of a reliability coordinator. They make sure there's always enough backup to cover any contingency."

All that said, experts agree it is possible for hackers to cause a blackout. 

"Now, if you start to have a bunch of plants go down at the same time, that's another story," Alrich said. "But plants are not the problem. ... When you're talking about really serious attacks, you're talking about attacks on control centers or attacks on substations."

A brief history of energy cyberattacks

For the most part, the United States has avoided grid impacts from cybersecurity threats. A 2018 attack interrupted communications on the Midcontinent Independent System Operator, grid but customers ultimately felt no reliability impacts. But there is history.

The most well known grid cyberattack in the world occurred in 2015 when hackers knocked out power to almost a quarter million people in Ukraine. The attack, widely attributed to Russia-backed hackers, was possible because "there was not proper isolation between the IT and OT systems," said Perry.

Hackers compromised IT systems via a successful phishing email attack, he said, and were then able to move throughout the network to attack the utility's energy management system. They downloaded malicious firmware that impacted grid operators' ability to communicate with substations while also controlling key equipment.

Experts say the Ukraine outage remains largely consistent with how hackers could attack the U.S. grid today.

Other vulnerabilities have been studied. In 2007, Idaho National Laboratory's Aurora Generator Test proved a cyberattack could physically destroy a generator by connecting it to the grid out of phase, which leads to extreme torque and the machine breaking down.

Most recently, the North American Electric Reliability Corp. (NERC) said the 2020 SolarWinds attack, in which sophisticated malware was inserted into the software supply chain, exposed a quarter of the electric utilities it regulates to the vulnerability. The electric sector could take years to determine the full impacts of that attack, say experts.

And the attack on Colonial Pipeline, which transports refined oil products, had no electric grid impacts but is an example of unintended consequences. Hackers attacked Colonial's IT system and the company defensively shut down the pipeline.

 "When there's a ransomware attack in the IT network, it will inevitably result in an outage on the OT network," Alrich said. Utilities aren't going to turn off the power to mitigate a cyberattack, he said, but the MISO attack is an example where a control center was taken offline to avoid impact.

SolarWinds and Colonial are good examples of the threats facing the energy sector, said NERC Senior Vice President Manny Cancel, who is also CEO of NERC's Electricity Information Sharing and Analysis Center (E-ISAC).

SolarWinds illustrates the threat to supply chains, "and in that case, the adversaries solved the 1-to-many problem," said Cancel, compromising a single platform and subsequently infecting thousands of users. The Colonial shutdown shows hackers "don't necessarily have to target control systems" to have societal impacts.

And the threat shows no sign of abating, he added. The number of software vulnerabilities announced for control systems in 2021 "substantially eclipses" prior year warnings.

E-ISAC is preparing to facilitate GridEx VI, a biennial security exercise, Nov. 16-17. The event allows electric utilities to test their cyber and physical security plans in response to mock attacks, and the 2019 iteration drew more than 6,500 participants. The 2021 exercise will include a simulated software compromise, said Cancel.

How a successful attack might happen

If an adversary did pull off a successful grid attack, it might look similar to the Ukraine incident, say experts.

According to Perry, an attacker would need to gain access to the OT systems and interfere with their operations, including Supervisory Control and Data Acquisition (SCADA) and Energy Management System (EMS) systems in the grid's control center. Hackers would "either cause it to improperly control the equipment in the substation or generating plant, or leverage its connections with the substations and generating plants to compromise the cyber assets in the field," Perry said.

That's essentially how the Ukraine attack occurred, and it remains a potential method today, experts warn. "They were then able to move throughout the network to find and attack the SCADA/EMS," said Perry. The attack worked, he said, "because there was not proper isolation between the IT and OT systems."

Once hackers were in the SCADA system, they installed malware into devices used to communicate with the substations, and also to remotely operate the SCADA/EMS to open breakers in the substations. 

Likely attack surfaces

To disrupt the power grid, a hacker would need to compromise systems at one or more of three types of assets: control centers, substations or generating plants.

Generation is actually the least likely to be attacked, say security experts, in part due to the redundancy of the grid. And plants with multiple units also tend to have systems that are segregated from one another, limiting the potential impact of an attack. There are "very few common systems in the plant able to impact multiple units," Perry said, with separate units tending to have separate operator control and process control networks.

Control centers are a likely attack surface, said Miller, with their large geographic view across a territory. If hackers can disable communications at a center, cutting a grid operator's visibility into their system, then utility officials could be blocked from re-energizing a line if a substation protective relay is disabled.

"That was essentially the 2015 [Ukraine] attack, basically using the system as it's designed against itself in order to de-energize those lines," Miller said.

"There are a couple of attacks" that are possible on today's grid, said Miller, though he declined to walk through how they may happen. "Certainly a nefarious electrical engineer could do a system analysis view of how they would destabilize the grid and that would give the attackers their objective."

A control center SCADA device can receive data from and issue control commands to multiple substations or generators. "If an attacker can compromise the SCADA/EMS, then the attacker can conceivably impact any or all of the substations and generating plants the SCADA/EMS communicates with," Perry said.

Substations are the next most-likely attack surface, he said. Opening the right breakers in the right substations "will de-energize transmission lines and could result in transmission line and generator trips due to line overloading or the voltage and frequency excursions that resulted from the initial line de-energization."

While NERC's critical infrastructure protection standards set baseline security for the bulk power system, federal regulators have been considering whether stricter standards for distributed resources on the grid are needed. There is some support in the vendor community for lowering megawatt thresholds to require stricter rules, but the utility sector says new and updated standards are expected to address any security gaps. 

Cascading failures: Lessons from 2003

For a widespread blackout to take place, an equipment failure essentially has to be significant enough to unleash a chain of events.

"There has to be enough failure to cause a significant frequency or voltage excursion, which results in breakers being opened specifically to protect the equipment from damage," Perry said.

The 2003 blackout in the Northeast is an example — and has a cyber component, despite there being no hacker involved.

"The blackout occurred when a [transmission] line overloaded and was not dealt with in a timely manner, causing more lines to overload and trip, generation to trip off in response, more lines to trip, and so forth, until the grid became sufficiently unstable to cascade into a large geographic area outage," said Perry.

The problem was enabled by the failure of two safety features, he said: a FirstEnergy alarm subsystem and the State Estimator at the Midcontinent ISO. But grid officials say lessons from the 2003 event have since been incorporated.

There have been "various controls and safeguards built into the grid to prevent a cascading effect similar to what you saw in 2003," said Cancel.

How the grid recovers

Once utilities have regained control of their systems, recovery looks like it does for any widespread event, say experts. Grid operators have plans that rely on generation with black start capabilities, used to help get large fossil plants back up and running.

These are sometimes hydro, solar or wind units, said Perry, but are more often diesel and gas combustion turbines that can be started with batteries. It can take up to 24 hours for some larger steam-driven plants to get back up and running, he said.

"As the fossil plant is brought up, load is added to keep the unit stable," said Perry. "If things become unbalanced, the newly energized grid can collapse and the process starts all over again."

Recovery from a grid attack will depend on how widespread the impacts are and "the level of damage that has occurred," said Cancel. If hackers have "just found a way to shut down systems, maybe you can recover in short order."

"That being said, the industry has plans and we demonstrate this every day," said Cancel. "Look at our response to storms. The industry has a history of being able to respond to disasters." 

Mutual assistance is "the superpower of the industry," said EEI's Aaronson, though it is more frequently considered in terms of storm recovery. The utility sector's Hurricane Ida response, for instance, brought more than 27,000 workers into Mississippi and Louisiana this summer to help restore power.

The Electricity Subsector Coordinating Council (ESCC) runs a cyber mutual assistance program, which helps utilities procure services, personnel and equipment, including replacement of high voltage transformers, in the event of an attack.

The cyber assistance program has more than 170 participants, including electric and and gas utilities and grid operators. According to the ESCC, participants in the program cover approximately 80% of U.S. electricity customers, three-quarters of U.S. gas customers, and another 1.25 million electricity customers in Canada.

"This is an industry that has a culture of mutual assistance. That was a construct that we wanted to leverage for cyber threats," Aaronson said.

The utility sector needs precise information about the federal government's equipment concerns and better visibility into manufacturing supply chains in order to keep the electric grid secure, several groups told the U.S. Department of Energy in June 7 comments responding to a call for cyber and supply chain security recommendations to secure the electric grid.

However, new regulations and security requirements are not necessary at this time, according to the Edison Electric Institute (EEI), which represents investor-owned electric utilities. That idea was echoed by other industry groups filing comments.

Utilities support development of a U.S.-based supply chain, to move away from Chinese grid equipment, but warn that such a move could cause a short-term rise in prices due to a lack of suppliers. Procurement of some large power transformers, EEI noted, "may primarily depend on a single country."

Utilities say they need clear direction from the government on any equipment bans, and help getting more information on what components make up the grid equipment in use. But they also warn that, at this point, new regulations could get in the way of making the grid more secure — and could even affect its operations.

"Many efficiencies can be gained in leveraging existing cyber and physical security and supply chain processes, as opposed to creating and imposing upon the industry a new set of processes that could disrupt existing measures to combat the threats or access to critical equipment," EEI said in its response to the request for information (RFI).

'Spillover' effects on reliability 

New directives from DOE, whether addressing supply chains or equipment in use, could affect the market for critical equipment and "have a spillover effect on the day-to-day grid reliability," EEI said, and "may increase the ultimate costs to electric customers."

Smaller utilities also questioned the need for new security requirements. The American Public Power Association (APPA) filed comments jointly with the Large Public Power Council, the National Rural Electric Cooperative Association and the Transmission Access Policy Study Group.

The groups urged DOE to "focus on the extent to which existing standards have been successfully implemented in the electric utility sector to help frame the scope for any new regulations." And if DOE sees risks that are not being addressed in the existing required supply chain standards, the agency should consult with the Federal Energy Regulatory Commission and/or the North American Electric Reliability Corp. (NERC), and "provide actionable information that can inform appropriate standard revision."

"It would be burdensome on utilities, in particular smaller entities like public power utilities and electric cooperatives, to require them to report on supply chain requirements to more than one federal regulator," APPA and the other groups said.

EEI also noted that NERC's critical infrastructure protection standards are relatively new, and consequently, additional requirements or standards at this point are premature. "Rather time for implementation and gap analysis is warranted to determine whether any changes or additions are needed," the group recommended.

The Nuclear Energy Institute, which advocates for the industry, told DOE, "we do not see the need for any additional assistance, security requirements, or procurement practices to be imposed on the commercial nuclear power fleet at this time." The group also said it does not see a need for DOE to issue any prohibition orders on "equipment or infrastructure associated with the commercial nuclear power fleet."

Supply chain visibility

Supply chain risks have come under heightened scrutiny since the SolarWinds hack. About 25% of power utilities were exposed to the software vulnerability, according to NERC.

Experts say modern software and equipment is made up of hundreds or even thousands of components which must be examined for vulnerabilities. EEI said its companies need specific details on any piece of equipment that DOE might flag for concern.

"The supply chain for electric power equipment is enormous ... and it is not the end-use electric companies who have information about what is inside those pieces of equipment or components," EEI said in its comments.

Utilities have tools to identify threats to the supply chain and electric grid, but EEI said "by definition, these are not all encompassing. Government has access to sensitive information that it should find ways to share so all affected stakeholders understand what equipment is of concern and why it is of concern."

The utility group encouraged DOE to "collaborate with and help electric companies by sharing this information and include other stakeholders who have the knowledge."

EEI also said the DOE could work with the National Institute of Standards and Technology to develop "consistent criteria" for a hardware and software bill of materials (SBOM). An SBOM indicates what components are in a piece of software, allowing utilities to track and patch vulnerabilities.

"Doing so would support standardization in these bill of materials, which would make the development and provision of such useful tools for the purposes of identifying provenance and the potential presence of any foreign ownership or control," EEI said.

President Joe Biden signed an executive order May 12 to improve the country's cyber defenses, and it required use of an SBOM in government procurements. EEI has been been collaborating with the federal government to pilot the use of SBOMs in energy sector procurements. 

The Electric Power Supply Association, which represents competitive providers,  said DOE could consider strengthening industry procurement efforts "by crafting standardized cybersecurity contract language and creating a whitelist of suppliers who manufacture component and subcomponent parts." 

Foreign ownership

While DOE examines the potential of new security requirements, the RFI said the federal government expects utilities will "act in a way that minimizes the risk of installing electric equipment and programmable components that are subject to foreign adversaries’ ownership, control, or influence."

It's not that simple, warned utilities.

The concept of "foreign ownership, control, and influence” is "very broad," APPA told the agency.

"To the extent DOE moves in this direction, the industry would benefit from efforts by DOE and other government agencies to identify actionable information regarding threats from adversaries abroad," APPA said.

EEI said its companies need clear guidance on what specific factors — including location of manufacturing or level of equity ownership — would constitute "foreign ownership, control, and influence."

"Otherwise, procurement decisions cannot be made with certainty. For example, given the number of equipment suppliers that are publicly traded and the speed at which stocks change hands, electric companies could never be certain whether a supplier has foreign ownership," EEI said.

The United States electric grid faces a growing set of cyber and physical threats, and the co-chair of the CEO-led Electricity Subsector Coordinating Council (ESCC) wants the electric utility industry to begin considering how a mutual aid approach might be used to "black start" an entire region of the country in the event of a massive blackout.

Partnerships across industry and with the federal government will be necessary to maintain reliability and to forcefully deter hackers, ESCC lead and Southern Co. CEO Tom Fanning said Thursday at the Edison Electric Institute's annual industry event.

Fanning's comments on collaboration came on the same day that the House Energy and Commerce Committee advanced four bipartisan bills aimed at bolstering the nation's energy cybersecurity, including through enhanced public-private partnerships and by empowering the Department of Energy (DOE) to take the lead on security issues.

In order to protect the United States' electric grid, utilities will need to partner with each other and the federal government, said Fanning, including those who will "hold the bad guys accountable."

That means the U.S. Department of Defense, Federal Bureau of Investigation, Secret Service and Cyber Command, said the ESCC co-chair. The ESCC serves as the principal liaison between the federal government and the electric power industry in preparation and response to critical infrastructure threats.

Industry needs the government in order to "impose costs" on hackers, said Fanning. "If the bad guys come after us, there has to be an eye for an eye — or better. We want to make sure the bad guys understand there will be consequences for messing with us."

Colonial pipeline attack shows 'industry can't do it alone'

Fanning's comments follow the May shutdown of Colonial Pipeline, after hackers stole data and compromised the company's systems with ransomware.

Colonial Pipeline President and CEO Joseph Blount Jr. testified Tuesday before the U.S. Senate Committee on Homeland Security & Governmental Affairs, telling lawmakers that government partnerships are essential to energy security and "private industry can't do it alone."

While industry needs the federal government to defend against an increasingly sophisticated threat, recovery from any large attack will require private industry to work collectively, said Fanning.

Southern, which delivers electricity and gas across the Southeast, had just finished a black start test around the time hackers shut down Colonial Pipeline, said Fanning. 

A "black start" is the process of restarting grid equipment or generators without the use of external power, as may be required following a blackout.

"I just started thinking it might be really useful across the industry, now that we have this idea of mutual assistance and mutual operation, to really think in a broader sense how we black start a whole region of the United States," Fanning said.

While recovery means private industry partnerships, keeping hackers at bay will require greater cooperation with government, say experts.

Fanning, and Berkshire Hathaway Energy CEO Bill Fehrman, who also spoke at EEI's event, were both consulted in the planning of President Joe Biden's 100-day cybersecurity push for the electric sector that began in April.

The initiative is "really an effort to get an industry-wide focus on industrial control systems and operational technology," said Fehrman. He hopes that within those 100 days, industry can pull off "an incredibly sprint" that would result in the installation of technologies capable of monitoring operational technology (OT) networks and sharing that information with government partners.

"Having a foundational system that can collect OT data, get it to the government, and ultimately get it into the hands of the intelligence community ... is really going to expedite our defensive posture," said Fehrman. 

The investor-owned community is proposing to use Dragos' Neighborhood Keeper System, said Fehrman, and hopes to have enough entities signed up at the end of the 100 days to cover 80-85% of customers in the U.S. Neighborhood Keeper is a collective defense system led by Dragos in partnership with DOE.

Legislation advanced by the Energy and Commerce Committee would encourage more coordination between DOE and the electric sector.

4 bipartisan security bills

Lawmakers say the Colonial pipeline attack was a reminder of the urgent need to secure the nation's energy infrastructure.

"As bad actors become increasingly sophisticated ... it is imperative that we keep pace, and today that is exactly what we voted to do," Energy and Commerce Committee Chairman Frank Pallone Jr., D-N.J., said in a statement.

The following bills were passed on a voice vote:

• H.R. 2928, the "Cyber Sense Act of 2021" empowers DOE to assist with grid security and requires the Secretary of Energy to "establish a voluntary Cyber Sense program to test the cybersecurity of products and technologies intended for use in the bulk-power system, and for other purposes";
• H.R. 2931, the "Enhancing Grid Security through Public-Private Partnerships Act," directs the Secretary to consult with states, industry and federal agencies to enhance the physical and cyber security of electric utilities";
• H.R. 3078, the "Pipeline and LNG Facility Cybersecurity Preparedness Act," strengthens DOE's ability to respond to pipeline and liquefied natural gas facility threats; and
• H.R. 3119, the "Energy Emergency Leadership Act," will elevate energy emergency and cybersecurity responsibilities as a core function for DOE.

H.R. 2931 would also provide training to electric utilities to "address and mitigate cybersecurity supply chain management risks."

The four pieces of legislation combined, said Pallone, represent a "first legislative step toward addressing growing cybersecurity threats and vulnerabilities in our energy infrastructure."

The cyberattack on Colonial Pipeline illustrates how difficult it will be for electric utilities to protect their grids from disruption, experts say, even when attacks are primarily targeting information technology (IT) systems.

The Colonial ransomware attack never migrated into the pipeline's operational technology (OT) environment, and the company says the shutdown was a proactive safety measure. That's good protocol, security experts say, though it simultaneously exposes a vulnerability:

"If you have an attack on the IT network, the OT network is going to go down," according to electric utility sector security consultant Tom Alrich.

An attack on one ... 

Colonial transports gasoline, jet fuel and other refined products, but experts say a similar attack on a natural gas pipeline could have impacted combined cycle generation facilities. Federal power regulators are now calling for new pipeline security requirements.   

The Colonial attack did not directly affect the electric sector, but that is beside the point, security experts say. U.S. critical infrastructure is under attack, with Colonial now sitting alongside SolarWinds and the Oldsmar, Florida, water facility hack as examples of the country's lagging security.

"Every electric utility, pipeline operator, power plant, or anything else related to the energy sector should view this [as an] attack on themselves," said Jerry Ray, chief operations officer at cybersecurity company SecureAge. "There's nothing that Colonial did or didn't do with its cybersecurity defenses that would significantly differ from that of any other major company within the industry."

"You can't have a ransomware attack on your IT network and not have it affect the OT network unless it's like one machine," Alrich said. "In theory," Colonial could have shut down the IT network and left its OT operating, "but in practice that's a very bad idea," he said.

OT networks often need some information from the IT side, so there can be operational impacts [of an IT attack], Alrich said. While the risk of malware migrating from IT to OT may be minimal, if it were to happen, the effects could be devastating.

The Federal Bureau of Investigation has identified the hackers behind the Colonial attack as Darkside, a group of cybercriminals that supply ransomware to other hackers.

The group acknowledged the disruption in a statement, but it said its attack was financially motivated and not designed to halt the pipeline's operation.

"Our goal is to make money and not creating problems for society," Darkside said in a statement. "From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future."

Experts say the economics of ransomware — cheap to deploy, and potentially very lucrative — means the problem will grow.

"This is not the first ransomware cyberattack on an oil and gas utility — and it won't be the last — but it is the most serious. It is also potentially one of the most successful cyberattacks against US critical national infrastructure," David Bicknell, principal analyst at GlobalData's Thematic Research, said in a statement.

FERC head calls for new pipeline security requirements 

The Colonial attack led the head of the Federal Energy Regulatory Commission to call for consideration of pipeline cybersecurity standards similar to the North American Electric Reliability Corp.'s Critical Infrastructure Protection standards. 

“It is time to establish mandatory pipeline cybersecurity standards similar to those applicable to the electricity sector," FERC Chair Richard Glick said in a statement. Glick was joined by Commissioner Allison Clements in the call for stricter requirements.

"Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors," the regulators said.

The Colonial attack has revealed a "gap" in critical infrastructure security, said Yury Dvorkin, assistant professor of electrical and computer engineering at the New York University Tandon School of Engineering.

"While cyber intrusions can be identified in a timely fashion, that is before these exploits are operationalized to damage infrastructure, there is still a gap in cyber defense capabilities that would avoid the need of shutting down the entire infrastructure," Dvorkin said in an email.

Energy systems need tools to analyze, localize and isolate cyber threats "before they propagate and affect large portions of the infrastructure, thus increasing the likelihood of complete shut downs," he said, pointing to artificial intelligence and machine learning as a possible solution.

The Edison Electric Institute, which represents investor-owned utilities, is keeping an eye on how the Colonial hack could impart lessons to the electric power sector.

"As this investigation unfolds, it will be important to understand how control systems were impacted — if at all — and what mitigation was effective," Scott Aaronson, EEI's vice president for security and preparedness, said in a statement.

Attack should be a 'wake-up call for the electric side' 

The proactive shutdown of the Colonial pipeline is a feature, not a bug, experts say.

"Assuming they are able to isolate the attack and bring the control systems back online within a few days, this will be a shining example of a company's ability to respond to and mitigate an attack," Nick Cappi, cyber vice president of portfolio strategy and enablement at Hexagon, said in an email.

However, higher fuel prices, shortages and rationing could result if Colonial is not back online soon, Cappi said.

The company issued a statement saying it is working to return to service "in a phased approach" with "the goal of substantially restoring operational service by the end of the week."

Security firms recommend multifactor authentication, tested incident response plans and off-site system backups to avoid similar ransomware attacks in the future.

"I would hope that the gas pipeline hack is a wake-up call for the electric side of the power industry. Imagine a similar attack on the power grid in the dead of summer," Rick Tracy, chief security officer and product manager at cybersecurity firm Telos Corp., said in an email. "How many heat-related deaths might occur in the hottest parts of the country? Let's not wait to find out."

The risk to critical infrastructure is a long festering concern in the cybersecurity industry. Researchers, corporate security officers and government experts feared that energy producers, utilities and water systems lacked the manpower and investment in security.

The risk increased with the exposure of industrial control systems to the open internet and connected to IT systems through automation. 

Industrial control systems had 893 vulnerability disclosures in 2020, up 25% year-over-year, according to 2021 data from industrial cybersecurity firm Claroty. Critical manufacturing, energy — which includes electricity, oil and natural gas — and water and wastewater reported the most vulnerabilities. 

The oil and gas industry in particular grew more dependent on digital technologies to streamline operations in recent years, which increased the attack surface that was vulnerable to cyber activity, according to Moody's Investors Service. 

As Colonial Pipeline slowly restores full service following last week's ransomware attack, the Biden administration, security researchers and industry analysts are scrambling to understand exactly how the massive pipeline operation was compromised by a Russian-linked ransomware gang DarkSide. 

The attack exposed years of underinvestment and inaction that dragged out much needed enhancements to energy, utilities, water and other systems that desperately needed additional protection against sophisticated nation-state and criminal adversaries. 

"The ransomware attack on Colonial Pipeline illustrates that cybersecurity is a growing credit risk, which can cause operational disruption to America's critical infrastructure," Leroy Terrelonge, VP at Moody's Investors Service said. "With cyberattacks rising in the energy sector as digital technologies streamline operations, oil, gas, electric power and renewable energy participants will continue to increase their cyber investments to mitigate these growing threats."

Spotty track record

The nation's preparedness for securing critical infrastructure has been spotty, according to Scott Shackelford, director of the Cybersecurity and Internet Governance program at Indiana University. 

"In total DHS recognizes 16 such sectors, from financial firms to water utilities" as critical infrastructure, he said. "In fact, the vast majority of the U.S. economy has now been designated as 'critical,' with the open question being if everything is critical, is anything?"

Critical infrastructure executives have known for years that automation and exposure to the public internet would make them more visible targets to malicious attacks.  

Among the growing cybersecurity concerns, ransomware attacks against critical infrastructure have steadily increased, according to data from Temple University. The university documented 396 ransomware attacks against critical infrastructure in 2020, up 93% year-over-year. 

"Cyberattacks that target industrial control systems have been rapidly rising throughout 2020 and 2021," Dawn Cappelli, VP global security and chief information security officer at Rockwell Automation. "Most of them are ransomware attacks by financially motivated groups that spread from a company's main network into the industrial control system operational network."

The state of operational technology is less mature than information technology security, Cappelli said in an email. Many companies lack important security items, including a comprehensive asset inventory, protective technologies like firewalls and network segmentation, tools to detect anomalous or malicious network activity or trained security staff to respond to attacks. 

"CISOs in companies that have OT environments should immediately create a holistic cybersecurity strategy for their converged IT/OT infrastructure, if they haven't done so already," she said. "This requires a cross functional team composed of IT, security and OT engineers."