When it comes to cybersecurity and critical infrastructure, there are generally more questions than answers. And for the last 10 months or so, the volume of concern and uncertainty has ramped up, largely because there’s little in the way of productive information sharing on threats, a serious lack of centralized leadership coordinating cybersecurity efforts among public and private sector interests, and attacks and vulnerabilities run largely unabated.
Researchers have called the state of SCADA and Industrial Control System security laughable in some instances, while in others, the industry is moving forward with progressive initiatives such as the smart grid and smart meter technology with minimal forethought given to information security. In the meantime, people such as Federal Energy Regulatory Commission chairman Jon Wellinghoff question where the authority lies for cybersecurity responsibility among utilities.
All of this is conspiring for a seriously deficient state of affairs, experts said.
FERC has made an attempt to right its ship. The keepers of the Critical Infrastructure Protection (CIP) standard late last week announced the creation a new office, the Office of Energy Infrastructure Security (OEIS), whose mission is to identify, communicate and advise on risks to FERC facilities stemming from cyber attacks and physical attacks such as electromagnetic pulses.
“Creating this office allows FERC to leverage its existing resources with those of other government agencies and private industry in a coordinated, focused manner,” Wellinghoff said in a statement.
It’s not a major leap to think the creation of this office stems not only from the threats taking aim at energy utilities, but industry pressure as well. Last November, a report from the Department of Energy, came down on the FERC’s unclassified cybersecurity program, with harsh words for its vulnerability management and remediation initiatives. While the report noted improvement over 2010’s findings in areas such as incident response and regular scans of systems and applications, there were still serious shortcomings when it came to the remediation of software vulnerabilities, in particular the commission’s inability to fully implement security policies and procedures, something FERC said stemmed from “resource constraints.”
OEIS would provide oversight, direction and guidance, and likely help assure these shortcomings got their necessary due from FERC’s highest ranking officials. The new office’s charter said it will focus on four areas:
- Develop recommendations on how to identify, communicate and mitigate threats and vulnerabilities to FERC facilities;
- Provide expertise and advise other government agencies and Congress in identifying, communicating and mitigating threats and vulnerabilities;
- Take part in interagency and intelligence-sharing initiatives;
- Outreach to private sector critical infrastructure owners and operators with information on threats and mitigation advice.
“It would be great to see this office work with other organizations (maybe in a leadership role) to provide a comprehensive set of resources for the industry,” said Seth Bromberger, Principal, NCI Security LLC, a security consultancy focusing on critical infrastructure. “These resources would need to cover all aspects of cybersecurity, including those that have traditionally been excluded because they’re not part of the bulk power system – AMI/AMR, Smart Grid, and distribution in general Including the distribution networks will require close coordination with state PUCs and local regulators, but I think it’s time for us to take a holistic view of cybersecurity in the electric sector.”
Bromberger, former executive vice president of the Energy Sector Security Consortium and manager of information security at Pacific Gas and Electric Company, recently took part in the Oil and Gas Cyber Security Summit in Doha, Qatar. Ras Gas, a large natural gas producer in Qatar, was recently taken offline by a malware attack and Bromberger said the incident was the catalyst for a high level of engagement at the event. Short term, he said he’d like to see the new FERC office define their role and relationship to other groups providing cybersecurity guidance to the energy industry, and identify overlaps and who has final say.
“I’d say industry outreach is the most critical to start with,” Bromberger said. “The industry needs to understand and agree to the value proposition of having another cybersecurity organization, especially one with regulatory authority.”
Effective information exchange of threat and vulnerability intelligence is still lacking between the public and private sector, Bromberger said, acknowledging that progress has been made and both sides of the relationship have committed to improving the state of affairs.
“The challenge, as I see it, is that there are already too many groups–both government and commercial–working on this problem; the end result is fragmentation,” he said. “It would be nice to have a single vetted agreed-upon process for information exchange. To my knowledge we haven’t seen a dialog between private and public entities on the best way of doing this, but I know that dialog is possible.”