With energy systems now massively digitized and interconnected, with attackers at all levels becoming more capable and aggressive, and with current approaches to cyber defense observably not keeping pace, something must give. The U.S. Department of Energy has responded, and by all accounts, the recent major revamp of its grid security strategy is a welcome and winning response.
The department’s “Multiyear Plan for Energy Sector Cybersecurity” makes it clear that DOE is fully embracing its role as the Sector Specific Agency (SSA) for the energy sector. Perhaps the most telling manifestation of this update is the announcement of an entirely new DOE organization dedicated to cybersecurity: The Office of Cybersecurity, Energy Security, and Emergency Response (CESER).
{mosads}I’ve had the pleasure of working with the great folks at both DOE and at the Idaho National Laboratory (INL) over the past four years. In support of CESER, INL — the DOE laboratory with arguably the greatest depth in industrial control systems cybersecurity — will play a central role in driving the department and industry to fulfill many of the new plan’s stated objectives, including the following high-level goals:
- Strengthen energy sector cybersecurity preparedness.
- Coordinate cyber incident response and recovery.
- Accelerate game-changing research, development & deployment of resilient energy delivery systems.
For the first two, INL, in close coordination with other DOE labs, industry partners, and state and local governments, is exploring and expanding the boundaries of innovation, and developing tools and techniques to better protect the power grid from cyberattacks.
Progress toward the third goal, however, is where the potential for the most transformational and truly game-changing progress lies. DOE’s audacious objectives here are threefold:
- Decrease the cyberattack surface of [grid systems].
- Block attempted misuse of the [grid systems] at every level.
- Decrease the risk posed by malicious functionality that could be inserted as components and systems traversing the supply chain.
A new approach is now being piloted that promises to make good on all of these. A recent Harvard Business Review article used some startling superlatives as it introduced and characterized the Idaho laboratories’ emerging “consequence-driven, cyber-informed engineering” (CCE) methodology.
It described as “brutal truth” the fact that attackers are greatly outstripping current defender-side capabilities, and identified now well-established business and technology trends (e.g. the internet of things, automation and AI) that portend ever widening gaps in the future. Calling it the laboratory’s “radical idea,” HBR pointed to CCE as possibly the best solution for beginning to get us out of this mess.
CCE aligns with DOE’s intent to “change the game.” No doubt about it, in its emphasis on engineering out cyber risks from things that matter most, CCE is a radical departure from cyber defense business as usual. It’s counter-intuitive and counter-conventional: most expect the only way forward in cybersecurity is to invent evermore complex new technologies to thwart highly skilled adversaries. Perhaps you’ve heard that because human defenders are slow and prone to error, artificial intelligence (AI) will save us? The only problem with that line of thinking is that it ignores two universal cybersecurity truths: 1) All security tools are dual purpose, and 2) Offense improves faster than defense.
Instead, CCE looks to tried and true engineering first principles and leverages the engineering prowess resident in all energy companies — and other industrial critical infrastructure organizations for that matter. It’s an extremely selective process based on ruthless prioritization, with the stated mission to protect things that simply must not fail. Its initial job is to help companies identify the handful of functions or processes without which they cannot long survive. After all, if you’re a nation-state or otherwise highly resourced adversary preparing targeted attacks on infrastructure to cause the most damage to the U.S. economy or military, that’s what you’re going to do. In fact, it’s what you’re already doing.
With many now coming to accept an INL mantra: “If targeted you will be compromised,” the adoption and adherence to CCE methods and mindsets will:
- Reduce the number of digital pathways hackers can travel to reach their targets to the absolute minimum.
- Backstop critical systems with analog safety systems to prevent destruction of long-lead-time-to-replace equipment.
- Train operators and engineers to understand that hackers are now one of the potential sources of equipment malfunctions.
Initial outcomes from pilot engagements confirm that these organizations soon find themselves, from a strategic cyber risk perspective, on demonstrably firmer ground. As the program scales in coming months and years many more critical infrastructure companies will benefit. And if DOE and its laboratories and industry partners can execute on the rest of the new multi-year cybersecurity plan, the nation as a whole will attain a much stronger posture before long.
Andy Bochman is the senior grid strategist at Idaho National Laboratory which focuses on energy security, and in particular, on the cybersecurity and resilience of the systems at the heart of the North American electric grid. Bochman was previously the global energy and utilities security lead at IBM and a senior adviser on security matters at the Chertoff Group in Washington DC.